Reputation: 170
Force OpenSSL to not use /etc/pki/CA/newcerts
I am trying to generate the CA key for my server but I don't have root access. So when I run the code below. I obviously get the permission denied error. Is there a way to force it to write somewhere else like under my users folder?
I looked through the parameters for openssl and couldn't find anything that seemed to be what I needed
openssl ca -extensions v3_ca -out /home/cdonohue/certs/ca.pem -keyfile /home/cdonohue/certs/server-key.pem -verbose -selfsign -md sha256 -enddate 330630235959Z -infiles /home/cdonohue/certs/server-crt.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /home/cdonohue/certs/server-key.pem:
I am unable to access the /etc/pki/CA/newcerts directory
Upvotes: 0
Views: 1851
Answers (1)
Reputation: 38771
The commandline option for ca to override new_certs_dir is -outdir, as stated on the man page.
However, the serial and 'index' files are conventionally in the same place, so you probably won't be able to write them either, and they have no commandline options. To get around those you'll need to create and use your own config file, and once you do that you no longer need most of the options you are now using.
Also using section v3_ca from the default config file will produce a certificate that is not really suitable for a server certificate, although it will probably work at least in some cases. And using any self-signed cert for a server is dubious, unless the server is accessed only by clients within a reasonably small community (like an organization's intranet) or for debugging and testing.
However, once you aren't using any of the files of the 'system' CA configuration and you are issuing a self-signed cert, there isn't really any point to using ca to do this unless you really need that exact expiration (unlikely) or you are using copy_extensions, which is disabled in the default config. Otherwise, either req -x509 or x509 -req -signkey can produce an equivalent self-signed cert from a CSR much more simply. And there are numerous Qs on StackOverflow, SuperUser, ServerFault, and Security.SX about both of them, as well as the man pages.
Upvotes: 1
Related Questions
- Make OpenSSL accept expired certificates
- OpenSSL as a CA without touching the certs/crl/index/etc environment
- ssl cacertfile generation
- openssl_pkey_new throws error configuration file routines:NCONF_get_string:no value
- OpenSSL unsigned certs silently
- How to create a CA with openssl *with minimal power*
- Changing validity of existing PKI certificates
- OpenSSL reasonable default for trusted CA certificates?
- Problems with openSSL command line
- Prevent OpenSSL from using system certificates?