Openssl command line troubles

Question

Edit: Haven't solved my problems, but I've moved on to new and more exciting problems.
Leaving this here in case anyone has and insightful that'll help someone who stumbles on to this question in the future.

Hi, I'm attempting to send an encrypted email from php to outlook. As such, I need to generate a certificate to import into outlook. I had no problem generating a set of keys using openssl and the CA.pl script that comes with it, but when I try to run the command to generate the PKCS12 file to import into outlook it complains about a missing "demoCA" directory. It appears this directory is a part of openssl, and is referenced in the openssl config... but i have no idea where it is. I've searched the drive in many ways from grep to spotlight (on os x, though i really wasn't expecting spotlight to find anything), and can't come up with anything.

The command I was trying to run is:

$ openssl ca -cert newcert.pem -ss_cert newcert.pem
Using configuration from /sw/etc/ssl/openssl.cnf
./demoCA/private/cakey.pem: No such file or directory trying to load CA private key
19918:error:02001002:system library:fopen:No such file or directory:bss_file.c:245:fopen('./demoCA/private/cakey.pem','r')
19918:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:247:

I am a bit of a noob when it comes to encryption / SSL, so I might be missing something stupid (I'm sure if it, haha).

Answer 1

You should create a new CA by means of the script provided, which is easier than just handle all the openssl options. You can do this be means of openssl bundled with Cygwin inside Windows itself or use your favourite Unix distro. I will show you how to do it with bash scripts (but perl scripts should be the same).

$ ./CA.sh -newca

This creates demoCA directory with the CA certificate inside it. As you invoke above command you will be prompt about the fields of the CA certificate (CN, OU, etc.) and CA private key passphrase.

Now you can create certificate requests or certificates from certificate requestes.

$ ./CA.sh -newreq

This prompts for a new certificate request fields and the passphrase to encrypt the private key generated. By default the request is left in the same directory as CA.sh (newreq.pem). It is important that you use as CN (Common Name) the email address you have.

Now you only need to sign it and you have a full blown certificate.

$ ./CA.sh -sign

This will generate newcert.pem which is the signed certificate request. You have your certificate, you only need to pack the certificate and the private key inside a PFX or P12 file, that Microsoft CSP recognizes.

Then copy the contents of newreq.pem and newcert.pem into a file.

$ cat newreq.pem > keypair.pem
$ cat newcert.pem >> keypair.pem

And now generate P12 file by means of openssl shell (this time we don't have the help of any script). It will prompt you for the passphrase you used when request was generated and then the export password (to encrypt private key inside p12 file).

$ openssl pkcs12 -export -in keypair.pem  -out mykeypair.p12
Enter pass phrase for keypair.pem:
Enter Export Password:
Verifying - Enter Export Password:

Et voilà. You have a PKCS#12 file that you can double click in Windows and import it to your keystore and use it as a mail signing certificate (I don't remember if default options are enough or you need to specify some additional attributes when creating the certificate so Outlook recognizes as a e-mail signing certificate). You will also need to import CA certificate as a trusted CA (copy cacert.pem to cacert.cer that is inside demoCA directory and double click it to import).