Skip to main content
Unix & Linux

Return to Revisions

1 of 5
willowen100
willowen100
  • 67
  • 4
  • 14

Default Directories Not Working In OpenSSL Configuration File

I have set the directory in the /etc/ssl/openssl.cnf file but every time I issue the command

openssl req -x509 -newkey rsa:4096 -keyout cakey.pem -out cacert.pem -days 3650

it places the files in the root directory of the directory I'm working in.

[ CA_default ]

dir     = /home/will/myCA   # Where everything is kept
certs       = $dir/certs        # Where the issued certs are kept
crl_dir     = $dir/crl      # Where the issued crl are kept
database    = $dir/index.txt    # database index file.
#unique_subject = no            # Set to 'no' to allow creation of
                    # several certs with same subject.
new_certs_dir   = $dir/newcerts     # default place for new certs.

certificate = $dir/cacert.pem   # The CA certificate
serial      = $dir/serial       # The current serial number
crlnumber   = $dir/crlnumber    # the current crl number
                    # must be commented out to leave a V1 CRL
crl     = $dir/crl.pem      # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE    = $dir/private/.rand    # private random number file

x509_extensions = usr_cert      # The extensions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt    = ca_default        # Subject Name options
cert_opt    = ca_default        # Certificate field options

# Extension copying option: use with caution.
# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions    = crl_ext

default_days    = 365           # how long to certify for
default_crl_days= 30            # how long before next CRL
default_md  = default       # use public key default MD
preserve    = no            # keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy      = policy_match

If the directories were working I should expect this

Generating a 2048 bit RSA private key
.................................+++
.................................................................................................+++
writing new private key to '/home/bshumate/myCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----

writing new private key to '/home/bshumate/myCA/private/cakey.pem'

I have upgraded my version of OpenSSL directly from the website using the binaries and is now installed under /etc/local/ssl. Unfortunately I still don't understand why the files I am generating with OpenSSL are not being sorted into folders/directories.

Does anybody know why the default directories are not working?

Many thanks

Will

willowen100
  • 67
  • 4
  • 14