7

I tried to use openssl to sign cert request with my own CA. There are two options.

  1. openssl x509.

    openssl X509 -req -CA ca.crt -CAkey ca.pem -in bob.csr -out bob.crt -CAcreateserial`

Some posts say x509 is used to generate self-signed certificates.

But error occurs using openssl X509:

unable to load certificate 6612:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:701:Expecting: TRUSTED CERTIFICATE

  1. openssl ca:

    openssl ca -in bob.csr -out bob.crt -keyfile ca.key

It needs to config openssl.config beforehand. E.g., create dir ./demoCA.

Please let me know which way is correct. If openssl x509 is correct, how to solve expecting trusted certificate error? Very appreciate!

Improve this question
2
  • 1
    Your first command should work (and does for me) if the -CA file here ca.crt contains the CA cert; if the -CA file is something other than a cert I get the error you do (and if it's a cert but the wrong cert I get 0B080074 ... key values mismatch). Check that file. openssl ca is a valid alternative which does need several things set in a config file, although that file can have any name you choose (with -config) and it doesn't have to use a specific subdirectory or even any subdirectory, that's just a convention. Commented Jun 2, 2015 at 4:01
  • I had the same message after SSL_CTX_use_certificate and I solved it with merging two files into one: the one with -----BEGIN RSA PRIVATE KEY----- and the one with -----BEGIN CERTIFICATE----- Commented Feb 18, 2021 at 14:28

1 Answer 1

Reset to default
5

Please let me know which way is correct. If openssl x509 is correct, how to solve expecting trusted certificate error? Very appreciate!

You use openssl x509 to work with certificates. Since you don't have a certificate, you should not use openssl x509.

You use openssl req for signing requests. If you use just openssl req, then you create a signing request.

If you use openssl req -x509, then you create a self signed certificate. It forgoes the signing request and moves directly to the certificate.

If you need help becoming your own CA, then see How do you sign Certificate Signing Request with your Certification Authority?

If you need help with signing requests and well-formed certificates, then see How to create a self-signed certificate with openssl?.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

req -x509 can only create selfsigned, which is apparently not what OP wants. x509 has several functions, among which x509 -req -CA [-CAkey] as the OP correctly shows can create a signed-by-CA cert.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.