Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > HOWTO-Related Questions

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Thread Tools Display Modes
Old 5th May 2009, 16:13
falko falko is offline
Super Moderator
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,749 Times in 2,579 Posts

What's in ./openssl.cnf?
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Sponsored Links
Old 6th May 2009, 10:43
pixel.hu pixel.hu is offline
Junior Member
Join Date: Feb 2009
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default openssl.cnf


Nothing. I don't even have a file like that. I mean the howto didn't specify from which folder I should run the command, so i ran it from /etc/racoon and from other places too. (the howto mentioned openssl.conf i tried that too)

But #locate openssl.conf only gives this one answer


After a bit of browsing i found openssl.cnf in /etc/ssl, and it indeed has a
few parts i think should work. Pasting them now:


[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert


[ v3_ca ]

# Extensions for a typical CA

# PKIX recommendation.



# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true

# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign

# Some might want this also
# nsCertType = sslCA, emailCA

# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy

# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF

[ crl_ext ]


So i think i am missing something, but i don't know where i make that mistake.


Laszlo Balogh
Reply With Quote
Old 6th May 2009, 10:53
topdog topdog is offline
Senior Member
Join Date: Jan 2008
Location: South Africa
Posts: 1,352
Thanks: 0
Thanked 154 Times in 151 Posts

This is how to call the command.

openssl req -new -x509 -extensions v3_ca -keyout privateKey/cakey.pem -out cacert.pem -days 3650 -config /etc/ssl/openssl.cnf
and the privateKey directory needs to exist in your pwd.
http://www.topdog.za.net - Got Linux problems ? - I can help.
http://www.baruwa.org - Try it.
Reply With Quote
Old 6th May 2009, 12:04
pixel.hu pixel.hu is offline
Junior Member
Join Date: Feb 2009
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default finished at last

Hi there!

Thx for all the help!

I finally finished.

I had to create a few directories and move around a few files, but it is done.

Last it asked for a serial file. I just created one empty serial file,
and wrote random numbers in one line into it. It swallowed it.

Now if I can only get shorewall tunelling done it ll work.

Thx a lot

Laszlo Balogh
Reply With Quote


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

All times are GMT +2. The time now is 16:32.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.