7

I tried to use openssl to sign cert request with my own CA. There are two options.

  1. openssl x509.

    openssl X509 -req -CA ca.crt -CAkey ca.pem -in bob.csr -out bob.crt -CAcreateserial`

Some posts say x509 is used to generate self-signed certificates.

But error occurs using openssl X509:

unable to load certificate
6612:error:0906D06C:PEM routines:PEM_read_bio:no start       
line:.\crypto\pem\pem_lib.c:701:Expecting: TRUSTED CERTIFICATE

  1. openssl ca:

    openssl ca -in bob.csr -out bob.crt -keyfile ca.key

It needs to config openssl.config beforehand. E.g., create dir ./demoCA.

Please let me know which way is correct. If openssl x509 is correct, how to solve expecting trusted certificate error? Very appreciate!

jww
  • 97,681
  • 90
  • 411
  • 885
frogcdcn
  • 391
  • 1
  • 4
  • 14
  • 1
    Your first command should work (and does for me) if the `-CA` file here `ca.crt` contains the CA cert; if the `-CA` file is something other than a cert I get the error you do (and if it's a cert but the wrong cert I get `0B080074 ... key values mismatch`). Check that file. `openssl ca` is a valid alternative which does need several things set in a config file, although that file can have any name you choose (with `-config`) and it doesn't have to use a specific subdirectory or even any subdirectory, that's just a convention. – dave_thompson_085 Jun 02 '15 at 04:01
  • I had the same message after `SSL_CTX_use_certificate` and I solved it with merging two files into one: the one with `-----BEGIN RSA PRIVATE KEY-----` and the one with `-----BEGIN CERTIFICATE-----` – quant2016 Feb 18 '21 at 14:28

1 Answers1

5

Please let me know which way is correct. If openssl x509 is correct, how to solve expecting trusted certificate error? Very appreciate!

You use openssl x509 to work with certificates. Since you don't have a certificate, you should not use openssl x509.

You use openssl req for signing requests. If you use just openssl req, then you create a signing request.

If you use openssl req -x509, then you create a self signed certificate. It forgoes the signing request and moves directly to the certificate.

If you need help becoming your own CA, then see How do you sign Certificate Signing Request with your Certification Authority?

If you need help with signing requests and well-formed certificates, then see How to create a self-signed certificate with openssl?.

Community
  • 1
  • 1
jww
  • 97,681
  • 90
  • 411
  • 885
  • `req -x509` can only create selfsigned, which is apparently not what OP wants. `x509` has several functions, among which `x509 -req -CA [-CAkey]` as the OP correctly shows can create a signed-by-CA cert. – dave_thompson_085 Jun 02 '15 at 04:02