SSL problems

Discussion in 'Installation/Configuration' started by Rockdrala, Jan 9, 2008.

  1. Rockdrala

    Rockdrala New Member

    Im trying to set a ssl certificate authority

    on a second installation of ispconfig

    I get this error when doing openssl ca

    [[email protected] ~]# openssl ca
    Using configuration from /etc/pki/tls/openssl.cnf
    Error opening CA private key ../../CA/private/cakey.pem
    30739:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('../../CA/private/cakey.pem','r')
    30739:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
    unable to load CA private key
    [[email protected] ~]#
    Is there a reason why this is?

    Does the perfect install for centos 5.1 cause this somehow?
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    For me it looks as if you have to create a openssl key for the ca first.
  3. Rockdrala

    Rockdrala New Member

    Im following instructions from

    set two quotes

    Openssl has a global configuration file that it uses. To find out the location of this file use
    [email protected]:~> openssl ca

    Using configuration from /usr/share/ssl/openssl.cnf

    This file has some useful sections.. Take a look at it. Pretty much self explanatory. Let us now start making our own Certificate Authority

    So im assuming "openssl ca" is supposed to show global configurations.

    i cant go to step 3 if step 2 doesnt have the global configuration files it needs :O
    I remember making symlinks in the Perfect setup guide for centos 5.1 as instructed. Thats why im asking.
    Last edited: Jan 9, 2008
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    The global configuration file in your case is:


    But if you just want to use SSL certificates in ISPConfig websites, I recommend to use the builtin functions of ISPConfig to create a csr and certificate.
  5. Rockdrala

    Rockdrala New Member

    So this sets up a CA in ISPconfig?

    Here is my goal.

    I have ns1 and ns2 on different boxes.

    my ns1 hosts websites as well. They both have ispconfig installed on them.

    Since my ns2 ISPconfig doesnt do anything but be a slave for ns1 i want it to hande Certification Authority.

    This where im getting stuck on this step.

    The second server does not handle webhosting. It justs a nameserver "ns2" So im trying to make it handle Certification Authority

    Resources ive read on this.

    being your own CA helps to prevent expensive fees from Thawte or Verisign for otherwise what is a perfectly good Certificate.
    Last edited: Jan 9, 2008
  6. Rockdrala

    Rockdrala New Member

    So do you think this is doable on my second nameserver box?

    And how will it collide with ISPconfig.

    I recall all the symlinks made but i dont think ISPconfig is a CA itself.

    Im trying to follow the instruction 2nd step here on my second box.

    and its giving that error.
  7. falko

    falko Super Moderator ISPConfig Developer

    But you will still get warnings in a browser because browsers don't know your CA.
  8. Rockdrala

    Rockdrala New Member

    Yes but a different type of Error it will ask them if they want to trust the Certificate Athourity.

    They will say yes and never get the error message again.

Share This Page