Bad OpenSSL certificate | ansaurus

tags:

views:

407

answers:

1

Q:

Bad OpenSSL certificate

Hi,

I am trying to make a fake CA and sign a certificate with it to use with stunnel (which just seems to be calling OpenSSL routines, so you probably don't need to know the program to help :). However, stunnel keeps rejecting my certificate saying that it isn't signed with the right key!

This is how I'm generating my keys and certs with OpenSSL:

openssl genrsa -out ca_key.pem 1024

openssl req -config ./root2.cfg -new -sha1 -x509 -key ca_key.pem -out ca_cert.pem -subj "/CN=blah.blah.com/OU=Dev blah CA/C=CA/ST=blah/L=blah/O=Blah Software"

openssl genrsa -out MPS_key.pem 1024

openssl req -config ./MPS2.cfg -new -sha1 -key MPS_key.pem -out MPS_cert_req.pem -subj "/CN=blah.blah.com/OU=blah Certificate/C=CA/ST=blah/L=blah/O=Blah Software"

openssl x509 -req -in MPS_cert_req.pem -signkey ca_key.pem -out MPS_cert.pem -extensions MPS_ext

Then my stunnel.conf has these entries:

CAfile = ca_cert.pem
key = MPS_key.pem
cert = MPS_cert.pem

When I try and start stunnel I get the generic OpenSSL "key doesn't match certificate" error:

2009.09.09 16:36:04 LOG3[492:172]: SSL_CTX_use_RSAPrivateKey_file: B080074: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

Did I do something wrong in generating my files?

+1 A:

I'll summarize what you have setup:

You have a "CA" certificate, which is self-signed.
You have MPS_cert, which is self-signed.
You signed MPS_cert using the CA key.

If you read the reference for OpenSSL's x509 command (http://openssl.org/docs/apps/x509.html) you'll see that the -signkey parameter instructs OpenSSL to self-sign the supplied certificate with the given private key. This is not what you want.

What you want to do is create a self-signed CA and then use that to sign your CSR and generate a valid certificate.

openssl verify ca_cert.pem
ca_cert.pem: /CN=blah.blah.com/OU=Dev blah CA/C=CA/ST=blah/L=blah/O=Blah Software
error 18 at 0 depth lookup:self signed certificate
OK

openssl verify MPS_cert.pem
MPS_cert.pem: /CN=blah.blah.com/OU=blah Certificate/C=CA/ST=blah/L=blah/O=Blah Software
error 18 at 0 depth lookup:self signed certificate
OK

The relevant options are -CA, -CAkey, and -set_serial

openssl x509 -CA ca_cert.pem -CAkey ca_key.pem -set_serial 1 -req -in MPS_cert_req.pem -out MPS_cert2.pem -days 365

This should result in a certificate which is signed by your CA, which is itself self-signed.

Will Bickford 2009-09-29 22:23:22

related questions

OpenSSL and generating CSRs at client side

Encrypting data in Cocoa, decoding in PHP (and vice versa)

SSCrypto/OpenSSL to C# Crypto

How do you test a public/private keypair?

Python memory debugging with GDB

Programmatically Create X509 Certificate using OpenSSL

Understanding engine initialization in OpenSSL

Net::SSLeay post_https compilation error: Too many arguments

Opening an RSA private key from Ruby

How can I parse a Certificate Signing Request with Perl?

How to deploying a self signed SSL certificate to multiple servers

Building libcurl with SSL support on Windows

Self Signed Certificate in Windows without makecert?

"CURLE_OUT_OF_MEMORY" error when posting via https

How would you test an SSL connection?

Crypto/x509 certificate parsing libraries for Python (pyOpenSSL vs Python OpenSSL Wrappers vs...)

Strange call stack, could it be problem in asio's usage of openssl?

Is it a problem if multiple different accepting sockets use the same OpenSSL context?

Ruby on Rails: no such file to load -- openssl on RedHat Linux Enterprise

Using openssl what does "unable to write 'random state'" mean?

Using openssl encryption with Java

C# utility to create a CA

Easy expanation of setting up Openssl on Windows.

Getting ASN.1 Issuer strings from PEM files?

What Certificate Authority Software is Available?