forum.excito.org

Hi all,

I'm trying to become my own CA. wiki.excito.org/wiki/index.php/Be_your_own_CA
Followed the tutorial .. but I'm stuck at line 5

It says 'chmod 600 index.txt serial openssl.cnf '
But where do I get the index.txt and serial from?

When I enter this line it replys:

chmod: cannot access `index.txt': No such file or directory
chmod: cannot access `serial': No such file or directory

Any suggestions?

little addition:

First ignored the files and then got this:

openssl ca -config openssl.cnf -policy policy_anything -out certs/server.crt -infiles server.csr
Using configuration from openssl.cnf
Enter pass phrase for ./private/myca.key:
./index.txt: No such file or directory
unable to open './index.txt'
6601:error:02001002:system library:fopen:No such file or directory:bss_file.c:356:fopen('./index.txt','r')
6601:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:358:
root@b3:/home/bas/CA# openssl ca -config openssl.cnf -policy policy_anything -out certs/server.crt -infiles server.key
Using configuration from openssl.cnf
Enter pass phrase for ./private/myca.key:
./index.txt: No such file or directory
unable to open './index.txt'
6605:error:02001002:system library:fopen:No such file or directory:bss_file.c:356:fopen('./index.txt','r')
6605:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:358:

Then made empty files but that also didn't work:

openssl ca -config openssl.cnf -policy policy_anything -out certs/server.crt -infiles server.csr
Using configuration from openssl.cnf
Enter pass phrase for ./private/myca.key:
unable to load number from ./serial
error while loading serial number
6646:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:f_int.c:215:

you are correct that this is incorrect in the wiki.
In the openssl.cnf there's usually two lines that say My suggestion to solve your problem would be to do BTW: googling for "openssl index.txt serial" would have given you this information as well...

echo 1000 > serial looks like the answer .....
Tanx

Just use the script from THIS post, it handles all requirements for being your own CA

Gordon,
Your solution is running a big shell script from an uncredited source. Maybe it'll open a backdoor to your ssh server, reset your passwords or erase your hard drive.

Look, I appreciate your effort of making this script, but it's largely devoid of comments and instructions. It's generally bad practice for people to run unknown scripts from unknown sources. So please put this script in documented form in the wiki. Until then I will keep advising people to use the howto-method rather than the magic-script method.

Sorry Beweb,
I had indeed forgotten to add these instructions
Thanks Ubi for also correcting the wiki

Ubi wrote:Gordon,
Your solution is running a big shell script from an uncredited source. Maybe it'll open a backdoor to your ssh server, reset your passwords or erase your hard drive.

Look, I appreciate your effort of making this script, but it's largely devoid of comments and instructions. It's generally bad practice for people to run unknown scripts from unknown sources. So please put this script in documented form in the wiki. Until then I will keep advising people to use the howto-method rather than the magic-script method.

Maybe...

The thing about shell scripts is that you can read them. There's no real magic to it. Besides, about half of the lines in there are response feeds anyway and it's impossible to put comments in between those. And if you're still suspicious about running it, you can at least use it to learn what type of commands you can feed to openssl. Reinvent the wheel if you like, but if it turns out to look the same as the one I showed you I'd appreciate a word of credit. Okay?

Looked at the script but didn't quite understand the whole impact.
Given the fact that it's still online at this forum gives a clue about how trustfull it is.

But, given the lack of experience on my side, I choose the tutorial.

But thanks for pointing it out.