Link to home
Create AccountLog in
Avatar of ccfcfc
ccfcfcFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Using OPEN SSL to create a Client auth certificate

I wish to create a client certificate and am using OPENSSL.
I am using the link :-
http://manmoahn-openssl-net.blogspot.co.uk/2011/07/creating-serverclient-certificate-pair.html
I get to step 2. Create self-signed cert CA and i get the following error message :-
unable to find 'distinguished_name' in config
problems making Certificate Request
140103707522888:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:335:group=req name=distinguished_name

Have googled the error not found a sensible soultion.
How do I resolve this, or is there a more simple way to create a client auth certificate ?
Thanks
ASKER CERTIFIED SOLUTION
Avatar of Dave Howe
Dave Howe
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of atechnicnate
atechnicnate

Did you follow this step first to create the CA?

openssl req -config openssl.conf -new -x509 -days 360 -key Keys/RootCA.key -out Certificates/RootCA.crt


http://manmoahn-openssl-net.blogspot.com/2011/06/complete-guide-to-set-up-ca-using.html
@atechnicnate: You appear to be suggesting that, before he creates a CA key, he should create a CA key. Is this some sort of Zen? :)
Lol, yeah that came out wrong/I made a dumb suggestion without reading things through.

I'm wondering if your openssl.conf file is lacking a distinguished name or perhaps you're missing a path to it altogether?

What OS are you on?  In my linux box (Ubuntu 12.04) I have openssl.cnf located at /usr/lib/ssl/ and inside that file there is this section:

####################################################################
[ req ]
default_bits            = 2048
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
attributes              = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert


##################################################

Make sure that inside your conf file the distinguished_name is either present or set to request.  Here is what I saw when I ran it on my Unit (granted my folder structure is different...)

 nate@ubuntu:/home/share$ sudo openssl req -config /usr/lib/ssl/openssl.cnf -new -x509 -days 360 -key RootCA.key -out RootCA.crt
Enter pass phrase for RootCA.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Maryland
Locality Name (eg, city) []:Baltimore
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Internet
Organizational Unit Name (eg, section) []:section8
Common Name (e.g. server FQDN or YOUR name) []:atechnicnate
Email Address []:me@you.com
@atechnicnate: All true, but in almost all cases it is easier to just cut the knot and use either xca or keytool iui :)
Avatar of ccfcfc

ASKER

Thanks for all the replies much impressed.
I am looking at that tool XCA - I assume its rplaces the need to use "openssl" ? which can be a pain.
I use openssl on CentOS and have never configured any opensll.conf file before and have created certs just not a "client authen" cert. I assume that is a standard setting .

I do like to use openssl and I prefer command line but agree totally about might be ease of use to use the GUI way. Hoping it has full functionality
Appreciate you comments
XCA is basically a gui tool to do the work for you. Now, openssl is good, but one of the downsides is that it effectively *isn't* a command line tool for purposes of CA style generation - far too much needs to be set in a ascii configuration file for comfort.

Client auth certs are like normal end node certs, but their usage flags are different - xca comes with built-in templates for CA, http (normal server cert) and client. you can extend that yourself by using the template editor to change the defaults to something more specific to your site (this is similar to using the config file in openssl, but xca will just present empty fields if you don't select a template, while openssl will error and bug out)
Avatar of ccfcfc

ASKER

DaveHowe, thanks for your feedback I have been lookinf it definitly looks easier to use than OPENSSL and I agree on usage.

Much appreciated .
Openssl is *really really* good if you are a C programmer and can use it programmically - its a library, and the utilities most people use are actually more test vector tools than actual production ones.

I do recall fondly there was an activex wrapper for it that was scriptable - great if you wanted to write your CA in vbscript or (more importantly) call real crypto from ms access :)