Créer Certificate Authority pour postfix via gmail. Échec !

loreleil · Février 21, 2016, 2:58am

Saluts,

Sauf erreur, il est possible de créer x certificat si besoin.

Je me suis inspirer de ces doc et tuto suivant :

Ajouter le SMTP de Gmail en SmartHost avec Postfix sous Ubuntu Server
Guide pratique des certificats SSL
Gérer une authorité de certification (CA) complète avec OpenSSL (SSL/TLS)

Mais j’avoue bien volontiers, que je m’y perds un peu, beaucoup, énormément …

Cependant, depuis hier soir cela ne peut se faire ! Alors que quelques heures auparavant …

[code]:~# /usr/lib/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)

Making CA certificate …
Generating a 1024 bit RSA private key
…++++++
…++++++
writing new private key to ‘./demoCA/private/cakey.pem’
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.

Country Name (2 letter code) [AU]:FR

(…)[/code]

[code]:~# openssl req -new -nodes -subj ‘/CN=Debian-pc-1/O=Mon_Domaine.net/C=FR/ST=Nord de France/emailAddress=Mon_Adresse@gmail.com’ -keyout FOO-key.pem -out FOO-req.pem -days 3650
Generating a 1024 bit RSA private key
…++++++
…++++++
writing new private key to ‘FOO-key.pem’

:~#[/code]
Mais cela c’est soldé par un échec!!!

[quote]:~# openssl ca -out FOO-cert.pem -infiles FOO-req.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
xx:xx:xx:xx:xx:xx:xx:xx
Validity
Not Before: Jul 30 14:31:51 2011 GMT
Not After : Jul 29 14:31:51 2012 GMT
Subject:
countryName = FR
stateOrProvinceName = Nord de France
organizationName = Mon_Domaine.net
commonName = Debian-pc-1
emailAddress = Mon_Adresse@gmail.com

(…)

Certificate is to be certified until Jul 29 14:31:51 2012 GMT (365 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2
root@Debian-pc-1:~#[/quote]
Suite à cela, j’ai tenté de rétablir cette situation avec mv.

[code]:~# mv /usr/lib/ssl/openssl.cnf /home/pc-1-loreleil

:~# mv /usr/lib/ssl/misc/CA.pl /home/pc-1-loreleil[/code]

J’ai relancé la création d’un nouveau certificat, mais la console reste muette.

:~$ /usr/lib/ssl/misc/CA.pl -newca :~$ ....??????

Pour finir, j’ai replacé /usr/lib/ssl/openssl.cnf & /usr/lib/ssl/misc/CA.pl à leur emplacement d’origine, et depuis je bloques la dessus.

[code]:~$ su
Mot de passe :
:~# cd /usr/lib/ssl/misc/
:/usr/lib/ssl/misc# ls -l
total 32
-rwxr-xr-x 1 root root 5875 10 févr. 20:20 CA.pl
-rwxr-xr-x 1 root root 5175 10 févr. 20:20 CA.sh
-rwxr-xr-x 1 root root 119 10 févr. 20:20 c_hash
-rwxr-xr-x 1 root root 152 10 févr. 20:20 c_info
-rwxr-xr-x 1 root root 112 10 févr. 20:20 c_issuer
-rwxr-xr-x 1 root root 110 10 févr. 20:20 c_name
:/usr/lib/ssl/misc#

:/usr/lib/ssl/misc# cd /usr/lib/ssl
:/usr/lib/ssl# ls -l
total 8
lrwxrwxrwx 1 root root 14 25 févr. 20:54 certs -> /etc/ssl/certs
drwxr-xr-x 2 root root 4096 26 févr. 10:52 engines
drwxr-xr-x 2 root root 4096 30 juil. 17:31 misc
lrwxrwxrwx 1 root root 20 26 févr. 10:52 openssl.cnf -> /etc/ssl/openssl.cnf
lrwxrwxrwx 1 root root 16 25 févr. 20:54 private -> /etc/ssl/private
r:/usr/lib/ssl#
[/code]

[code]:/home/pc-1-loreleil# cd /root

:~# ls -l
total 1438061
-rw-r–r-- 1 root -rw-r–r-- 1 root -rw-r–r-- 1 root drwxrwxrwx -rw------- 1 root drwxr-xr-x 6 root -rw-r–r-- 1 root -rw-r–r-- 1 root -rw-r–r-- 1 root -rw-r–r-- 1 root -rw-r–r-- 1 root -rw-r–r-- 1 root drwxr-xr-x 2 root -rw-r–r-- 1 root -rw-r–r-- 1 root -rw-r–r-- 1 root -rw-r–r-- 1 root -rw------- 1 root -rw-r–r-- 1 root drwxr-xr-x -rw-r–r-- 1 root drwxr-xr-x -rw-r–r-- 1 root -rw-r–r-- 1 root -rw-r–r-- 1 root -rw------- 1 root :~#
[/code] root 4300 26 févr. 13:16 [26-02-2011][13-13-17]-nmapsi4.log
root 2127 8 mars 16:18 bibliotheque.txt
root 0 21 juin 19:09 Changelog
2 pc-1-loreleil pc-1-loreleil 1024 7 mars 08:54 cles
root 872239269 2 juil. 18:10 dead.letter
root 1024 30 juil. 16:27 demoCA
root 790 8 mars 16:17 dump_file
root 59 15 mai 11:19 exclure
root 9300 3 mars 22:56 fichier.cap
root 0 30 juil. 16:37 FOO-cert.pem
root 887 30 juil. 17:38 FOO-key.pem
root 680 30 juil. 17:38 FOO-req.pem
root 1024 13 févr. 2006 ftester-1.0
root 30821 4 nov. 2008 ftester-1.0.tar.gz
root 0 22 mai 12:54 gparted_details.htm
root 8846 25 juil. 17:29 master
root 90114 11 mars 13:18 matos.html
root 60484 12 juil. 20:25 mbox
root 161 27 mars 10:30 my.cnf
8 pc-1-loreleil pc-1-loreleil 1024 28 févr. 14:30 ossec-hids-2.5.1
root 740470 12 oct. 2010 ossec-hids-2.5.1.tar.gz
3 pc-1-loreleil root 1024 20 avril 2010 rootcheck-2.4
root 379167 20 avril 2010 rootcheck-2.4.tar.gz
root 379167 20 avril 2010 rootcheck-2.4.tar.gz.1
root 379167 20 avril 2010 rootcheck-2.4.tar.gz.2
root 592466304 30 juil. 19:50 sent

[code]root@Debian-pc-1:/usr/lib/ssl# cd /root/demoCA
root@Debian-pc-1:~/demoCA# ls -l
total 12
-rw-r–r-- 1 root root 3498 30 juil. 16:27 cacert.pem
-rw-r–r-- 1 root root 704 30 juil. 16:26 careq.pem
drwxr-xr-x 2 root root 1024 30 juil. 16:23 certs
drwxr-xr-x 2 root root 1024 30 juil. 16:23 crl
-rw-r–r-- 1 root root 3 30 juil. 17:38 crlnumber
-rw-r–r-- 1 root root 0 30 juil. 17:38 index.txt
-rw-r–r-- 1 root root 21 30 juil. 16:27 index.txt.attr
-rw-r–r-- 1 root root 0 30 juil. 16:23 index.txt.old
drwxr-xr-x 2 root root 1024 30 juil. 16:27 newcerts
drwxr-xr-x 2 root root 1024 30 juil. 16:23 private
-rw-r–r-- 1 root root 17 30 juil. 16:27 serial
:~/demoCA#

:~/demoCA# cd /root/cles
:~/cles# ls -l
total 0
:~/cles#

:~/cles# cd /root/demoCA/certs
:~/demoCA/certs# ls -l
total 0
:~/demoCA/certs#

:~/demoCA/certs# cd /root/demoCA/crl
:~/demoCA/crl# ls -l
total 0

:~/demoCA/crl# cd /root/demoCA/newcerts
:~/demoCA/newcerts# ls -l
total 4
-rw-r–r-- 1 root root 3498 30 juil. 16:27 xxxxxxxxxxxxxxxx.pem
:~/demoCA/newcerts#

:~/demoCA/newcerts# cd /root/demoCA/private
:~/demoCA/private# ls -l
total 1
-rw-r–r-- 1 root root 963 30 juil. 16:26 cakey.pem
:~/demoCA/private#
[/code]

Comment remettre tout ceci à plat ? …

Je vous en serre cinq … merci. …

kna · Février 21, 2016, 2:58am

As-tu réèllement besoin de créer une autorité de certification complète ? Si tu souhaites simplement créer un certificat pour ton serveur de messagerie, un autosigné fera l’affaire, et sera plus simple à générer :
isalo.org/wiki.debian-fr/ind … sign.C3.A9

Sinon, en faisant une recherche avec ton message d’erreur (TXT_DB error number 2), il semble que ça arrive car ton certificat a déjà été créé auparavant :
nicolasjolet.blogspot.com/2011/0 … l-use.html
forums.openvpn.net/topic7551.html

gilles974 · Février 21, 2016, 2:58am

salut

faut pas faire du copier/coller bêtement

[quote =“loreleil.747”]openssl req -new -nodes -subj ‘/CN=Debian-pc-1/O=Mon_Domaine.net/C=FR/ST=Nord de France/emailAddress=Mon_Adresse@gmail.com’ -keyout FOO-key.pem -out FOO-req.pem -days 3650
Generating a 1024 bit RSA private key[/quote]

le CN est le plus important il faut mettre le nom de ta machine suivi du domaine ou mondomaine.fr

si tu n’a pas de domaine met creer le localement en appelant ta machine, exemple : toto.chezmoi.loc

il aurais fallu avoir toute les résultats de génération de certificats et non pas un bout

FOO ??? il faut donner un nom

là ca va être dur à remettre en place

as tu nettoyer la création de certificat comme il dise

root@votrehostname:~# cd ~

comme le dit kna un auto signe suffit

loreleil · Février 21, 2016, 2:58am

Bien le bonjour chez vous …

D’entrée … Merci à vous deux …

Bon, sinon vous confirmez x créations de certificats ?

Honnêtement, je n’en sais strictement rien !!!

huuumm ! j’ai pas eu ce reflex, pour cette fois …

Le but à l’origine ! Étant que postfix puisse (une bonne fois pour toute) faire parvenir les quelques messages : warning, alertes, info à Mon_Adresse@gmail.com.

Et non plus me retrouvé avec ce type de log.

Jul 27 20:44:03 Debian-pc-1 postfix/smtp[16390]: 4546923C9: to=<Mon_Adresse@gmail.com>, relay=none, delay=15578, delays=15578/0.12/0.12/0, dsn=4.4.1, status=deferred (connect to smtp.gmail.com[209.85.227.109]:25: No route to host)

puis après modif de postfix …

Jul 31 14:40:58 Debian-pc-1 postfix/smtp[13682]: 673C123F3: to=<Mon_Adresse@gmail.com>, relay=none, delay=21346, delays=21325/0.08/21/0, dsn=4.4.1, status=deferred (connect to smtp.gmail.com[209.85.227.109]:587: Connection timed out)

Maintenant, si tu me dit que dans ce contexte, un certificat autosigné est suffisant, alors pas de lézard …

Ok ! j’ai fait ma blonde sur ce coup, mais il n’y avait guère plus d’info sur le dit tuto …

Quelque chose comme (j’ai un nom de domaine chez ovh) …

Avec un espace ? une virgule ? un point virgule ? un slash ?

FOO ???

La total quoi !

[code]:~$ /usr/lib/ssl/misc/CA.pl -newca

CA certificate filename (or enter to create)

Making CA certificate …
Generating a 1024 bit RSA private key
…++++++
…++++++
writing new private key to ‘./demoCA/private/cakey.pem’
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.

Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:Nord
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:Debian-pc-1
Email Address []:Mon_Adresse@gmail.com

Please enter the following ‘extra’ attributes
to be sent with your certificate request
extra
An optional company name []:
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
ac:5f:c1:5e:78:a3:a5:45
Validity
Not Before: Jul 30 13:55:42 2011 GMT
Not After : Jul 29 13:55:42 2014 GMT
Subject:
countryName = FR
stateOrProvinceName = Nord
organizationName = Internet Widgits Pty Ltd
commonName = Debian-pc-1
emailAddress = Mon_Adresse@gmail.com
X509v3 extensions:
X509v3 Subject Key Identifier:
59:07:FA:27:4F:81:5E:67:49:D2:D2:17:8F:CA:CE:62:D6:2D:7E:F1
X509v3 Authority Key Identifier:
keyid:59:07:FA:27:4F:81:5E:67:49:D2:D2:17:8F:CA:CE:62:D6:2D:7E:F1
DirName:/C=FR/ST=Nord/O=Internet Widgits Pty Ltd/CN=Debian-pc-1/emailAddress=Mon_Adresse@gmail.com
serial:AC:5F:C1:5E:78:A3:A5:45

        X509v3 Basic Constraints:
            CA:TRUE

Certificate is to be certified until Jul 29 13:55:42 2014 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated
:~$

pc-1-loreleil@Debian-pc-1:~$

:~$ openssl req -new -nodes -subj ‘/CN=Debian-pc-1/O=Internet Widgits Pty Ltd/C=FR/ST=Nord/emailAddress=Mon_Adresse@gmail.com’ -keyout FOO-key.pem -out FOO-req.pem -days 3650
Generating a 1024 bit RSA private key
…++++++
…++++++
writing new private key to ‘FOO-key.pem’

:~$ openssl ca -out FOO-cert.pem -infiles FOO-req.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
ac:5f:c1:5e:78:a3:a5:46
Validity
Not Before: Jul 30 14:04:20 2011 GMT
Not After : Jul 29 14:04:20 2012 GMT
Subject:
countryName = FR
stateOrProvinceName = Nord
organizationName = Internet Widgits Pty Ltd
commonName = Debian-pc-1
emailAddress = Mon_Adresse@gmail.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
42:53:99:AE:11:DD:B0:C7:C9:5E:3E:B8:23:46:18:C7:3B:B5:43:55
X509v3 Authority Key Identifier:
keyid:59:07:FA:27:4F:81:5E:67:49:D2:D2:17:8F:CA:CE:62:D6:2D:7E:F1

Certificate is to be certified until Jul 29 14:04:20 2012 GMT (365 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2

:~$

:~$ openssl ca -out FOO-cert.pem -infiles FOO-req.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
ac:5f:c1:5e:78:a3:a5:46
Validity
Not Before: Jul 30 14:06:27 2011 GMT
Not After : Jul 29 14:06:27 2012 GMT
Subject:
countryName = FR
stateOrProvinceName = Nord
organizationName = Internet Widgits Pty Ltd
commonName = Debian-pc-1
emailAddress = Mon_Adresse@gmail.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
42:53:99:AE:11:DD:B0:C7:C9:5E:3E:B8:23:46:18:C7:3B:B5:43:55
X509v3 Authority Key Identifier:
keyid:59:07:FA:27:4F:81:5E:67:49:D2:D2:17:8F:CA:CE:62:D6:2D:7E:F1

Certificate is to be certified until Jul 29 14:06:27 2012 GMT (365 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2

:~$

pc-1-loreleil@Debian-pc-1:~$
:~$ openssl ca -out FOO-cert.pem -infiles FOO-req.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
unable to load CA private key
17789:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:330:
17789:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:428:
:~$

:~$ openssl ca -out FOO-cert.pem -infiles FOO-req.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
ac:5f:c1:5e:78:a3:a5:46
Validity
Not Before: Jul 30 14:11:25 2011 GMT
Not After : Jul 29 14:11:25 2012 GMT
Subject:
countryName = FR
stateOrProvinceName = Nord
organizationName = Internet Widgits Pty Ltd
commonName = Debian-pc-1
emailAddress = Mon_Adresse@gmail.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
42:53:99:AE:11:DD:B0:C7:C9:5E:3E:B8:23:46:18:C7:3B:B5:43:55
X509v3 Authority Key Identifier:
keyid:59:07:FA:27:4F:81:5E:67:49:D2:D2:17:8F:CA:CE:62:D6:2D:7E:F1

Certificate is to be certified until Jul 29 14:11:25 2012 GMT (365 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2

:~$
[/code]
Bon là ! je crois que j’ai merdoyé j’ai lancé en root …

[code]:~# openssl req -new -nodes -subj ‘/CN=Debian-pc-1/O=Internet Widgits Pty Ltd/C=FR/ST=Nord/emailAddress=Mon_Adresse@gmail.com’ -keyout FOO-key.pem -out FOO-req.pem -days 3650
Generating a 1024 bit RSA private key
…++++++
…++++++
writing new private key to ‘FOO-key.pem’

:~# openssl ca -out FOO-cert.pem -infiles FOO-req.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Error opening CA private key ./demoCA/private/cakey.pem
17779:error:02001002:system library:fopen:No such file or directory:bss_file.c:356:fopen(’./demoCA/private/cakey.pem’,‘r’)
17779:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:358:
unable to load CA private key
:~#

:~# openssl ca -out FOO-cert.pem -infiles FOO-req.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Error opening CA private key ./demoCA/private/cakey.pem
17842:error:02001002:system library:fopen:No such file or directory:bss_file.c:356:fopen(’./demoCA/private/cakey.pem’,‘r’)
17842:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:358:
unable to load CA private key
:~#[/code]

[code]:~# /usr/lib/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)

Making CA certificate …
Generating a 1024 bit RSA private key
…++++++
…++++++
writing new private key to ‘./demoCA/private/cakey.pem’
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.

Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:Nord de France
Locality Name (eg, city) []:Ville
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Mon_Domaine.ovh.net
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:Debian-pc-1
Email Address []:Mon_Adresse@gmail.com

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
e4:20:fa:e6:21:fe:55:4e
Validity
Not Before: Jul 30 14:27:19 2011 GMT
Not After : Jul 29 14:27:19 2014 GMT
Subject:
countryName = FR
stateOrProvinceName = Nord de France
organizationName = Mon_Domaine.ovh.net
commonName = Debian-pc-1
emailAddress = Mon_Adresse@gmail.com
X509v3 extensions:
X509v3 Subject Key Identifier:
DA:7F:B6:5D:72:EC:1B:CD:55:CE:96:F8:55:7A:BE:8D:35:D6:C1:59
X509v3 Authority Key Identifier:
keyid:DA:7F:B6:5D:72:EC:1B:CD:55:CE:96:F8:55:7A:BE:8D:35:D6:C1:59
DirName:/C=FR/ST=Nord de France/O=Mon_Domaine.ovh.net/CN=Debian-pc-1/emailAddress=Mon_Adresse@gmail.com
serial:E4:20:FA:E6:21:FE:55:4E

        X509v3 Basic Constraints:
            CA:TRUE

Certificate is to be certified until Jul 29 14:27:19 2014 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated
:~#

:~# openssl req -new -nodes -subj ‘/CN=Debian-pc-1/O=Mon_Domaine.ovh.net/C=FR/ST=Nord de France/emailAddress=Mon_Adresse@gmail.com’ -keyout FOO-key.pem -out FOO-req.pem -days 3650
Generating a 1024 bit RSA private key
…++++++
…++++++
writing new private key to ‘FOO-key.pem’

:~#

[/code]

Ici plusieurs tentatives de suppressions, Erreur de syntaxe !!!


:~$ cd ~

:~$ rm FOO-req.pem FOO-cert.pem FOO-key.pem &amp;&amp; rm -r demoCA/
bash: Erreur de syntaxe près du symbole inattendu « ;& »
:~$

:~$ rm FOO-req.pem FOO-cert.pem FOO-key.pem & amp;& amp; rm -r demoCA/
bash: Erreur de syntaxe près du symbole inattendu « ;& »
:~$

:~$ rm FOO-req.pem FOO-cert.pem FOO-key.pem &amp ; &amp ; rm -r demoCA/
bash: Erreur de syntaxe près du symbole inattendu « & »
:~$

:~$ rm FOO-req.pem FOO-cert.pem FOO-key.pem &amp;&amp; rm -r demoCA/
bash: Erreur de syntaxe près du symbole inattendu « ;& »
:~$

:~$ rm FOO-req.pem FOO-cert.pem FOO-key.pem &amp;&amp; rm -r demoCA/
bash: Erreur de syntaxe près du symbole inattendu « ;& »

:~$

Voilà pour ma défense …

loreleil · Février 21, 2016, 2:58am

Saluts, et … … …

Ne pouvant diviser la coche verte en deux, (voir plus selon les post, ce qui est dommage quelque part) je la place à contre cœur en tête du post, à mon grand regret …

kna coche verte tu m’as permis de résoudre “TXT_DB error number 2”.

gilles974 coche verte tu m’as permis de valider la signature du certificat.

Un grand Merci à vous deux … et encore

Bon et bien en fait cela n’était pas si compliqué, un peu de lecture, un peu de réflexion, et roule ma poule …


:~$ cd ~

:~$ rm FOO-req.pem FOO-cert.pem FOO-key.pem

:~$ rm -ri /home/pc-1-loreleil/demoCA

:~$

Et même punition pour root !


:~$ /usr/lib/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
...........++++++
................................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:FRANCE
Locality Name (eg, city) []:PARIS
Organization Name (eg, company) [Internet Widgits Pty Ltd]:perso
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:Debian-pc-1
Email Address []:Mon_Adresse@gmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:extra
An optional company name []:
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            fc:64:a1:60:e3:cb:01:16
        Validity
            Not Before: Jul 31 19:55:11 2011 GMT
            Not After : Jul 30 19:55:11 2014 GMT
        Subject:
            countryName               = FR
            stateOrProvinceName       = FRANCE
            organizationName          = perso
            commonName                = Debian-pc-1
            emailAddress              = Mon_Adresse@gmail.com
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                41:52:FF:8D:C7:DC:5E:AB:7E:4B:5A:B0:0E:56:74:6B:90:3A:A5:17
            X509v3 Authority Key Identifier:
                keyid:41:52:FF:8D:C7:DC:5E:AB:7E:4B:5A:B0:0E:56:74:6B:90:3A:A5:17
                DirName:/C=FR/ST=FRANCE/O=perso/CN=Debian-pc-1/emailAddress=Mon_Adresse@gmail.com
                serial:FC:64:A1:60:E3:CB:01:16

            X509v3 Basic Constraints:
                CA:TRUE
Certificate is to be certified until Jul 30 19:55:11 2014 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated
:~$



:~$ openssl req -new -nodes -subj '/CN=Debian-pc-1.home/O=perso/C=FR/ST=FRANCE/emailAddress=Mon_Adresse@gmail.com' -keyout FOO-key.pem -out FOO-req.pem -days 3650
Generating a 1024 bit RSA private key
......++++++
....................++++++
writing new private key to 'FOO-key.pem'
-----
:~$




:~$ openssl ca -out FOO-cert.pem -infiles FOO-req.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            fc:64:a1:60:e3:cb:01:17
        Validity
            Not Before: Jul 31 19:57:30 2011 GMT
            Not After : Jul 30 19:57:30 2012 GMT
        Subject:
            countryName               = FR
            stateOrProvinceName       = FRANCE
            organizationName          = perso
            commonName                = Debian-pc-1.home
            emailAddress              = Mon_Adresse@gmail.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                95:42:8F:A2:06:CE:1D:24:77:83:CF:3C:C9:C6:2C:50:1D:B3:B9:01
            X509v3 Authority Key Identifier:
                keyid:41:52:FF:8D:C7:DC:5E:AB:7E:4B:5A:B0:0E:56:74:6B:90:3A:A5:17

Certificate is to be certified until Jul 30 19:57:30 2012 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
:~$


:~$ cd /home/pc-1-loreleil/demoCA

:~/demoCA$ ls -l
total 52
-rw-r--r-- 1 pc-1-loreleil pc-1-loreleil 3371 31 juil. 21:55 cacert.pem
-rw-r--r-- 1 pc-1-loreleil pc-1-loreleil  708 31 juil. 21:55 careq.pem
drwxr-xr-x 2 pc-1-loreleil pc-1-loreleil 4096 31 juil. 21:53 certs
drwxr-xr-x 2 pc-1-loreleil pc-1-loreleil 4096 31 juil. 21:53 crl
-rw-r--r-- 1 pc-1-loreleil pc-1-loreleil    3 31 juil. 21:53 crlnumber
-rw-r--r-- 1 pc-1-loreleil pc-1-loreleil  239 31 juil. 21:57 index.txt
-rw-r--r-- 1 pc-1-loreleil pc-1-loreleil   21 31 juil. 21:57 index.txt.attr
-rw-r--r-- 1 pc-1-loreleil pc-1-loreleil   21 31 juil. 21:55 index.txt.attr.old
-rw-r--r-- 1 pc-1-loreleil pc-1-loreleil  117 31 juil. 21:55 index.txt.old
drwxr-xr-x 2 pc-1-loreleil pc-1-loreleil 4096 31 juil. 21:57 newcerts
drwxr-xr-x 2 pc-1-loreleil pc-1-loreleil 4096 31 juil. 21:53 private
-rw-r--r-- 1 pc-1-loreleil pc-1-loreleil   17 31 juil. 21:57 serial
-rw-r--r-- 1 pc-1-loreleil pc-1-loreleil   17 31 juil. 21:55 serial.old

:~$


:~# ls -l
total 1438060
-rw-r--r-- 1 root          root               4300 26 févr. 13:16 [26-02-2011][13-13-17]-nmapsi4.log
-rw-r--r-- 1 root          root               2127  8 mars  16:18 bibliotheque.txt
-rw-r--r-- 1 root          root                  0 21 juin  19:09 Changelog
drwxrwxrwx 2 pc-1-loreleil pc-1-loreleil      1024  7 mars  08:54 cles
-rw------- 1 root          root          872239269  2 juil. 18:10 dead.letter
-rw-r--r-- 1 root          root                790  8 mars  16:17 dump_file
-rw-r--r-- 1 root          root                 59 15 mai   11:19 exclure
-rw-r--r-- 1 root          root               9300  3 mars  22:56 fichier.cap
drwxr-xr-x 2 root          root               1024 13 févr.  2006 ftester-1.0
-rw-r--r-- 1 root          root              30821  4 nov.   2008 ftester-1.0.tar.gz
-rw-r--r-- 1 root          root                  0 22 mai   12:54 gparted_details.htm
-rw-r--r-- 1 root          root               8846 25 juil. 17:29 master
-rw-r--r-- 1 root          root              90114 11 mars  13:18 matos.html
-rw------- 1 root          root              60484 12 juil. 20:25 mbox
-rw-r--r-- 1 root          root                161 27 mars  10:30 my.cnf
drwxr-xr-x 8 pc-1-loreleil pc-1-loreleil      1024 28 févr. 14:30 ossec-hids-2.5.1
-rw-r--r-- 1 root          root             740470 12 oct.   2010 ossec-hids-2.5.1.tar.gz
drwxr-xr-x 3 pc-1-loreleil root               1024 20 avril  2010 rootcheck-2.4
-rw-r--r-- 1 root          root             379167 20 avril  2010 rootcheck-2.4.tar.gz
-rw-r--r-- 1 root          root             379167 20 avril  2010 rootcheck-2.4.tar.gz.1
-rw-r--r-- 1 root          root             379167 20 avril  2010 rootcheck-2.4.tar.gz.2
-rw------- 1 root          root          592468304 31 juil. 09:50 sent
:~#

Je vous en serre cinq chacun … …

Merci kna !
Merci gilles974 !

Créer Certificate Authority pour postfix via gmail. Échec !

Making CA certificate … Generating a 1024 bit RSA private key …++++++ …++++++ writing new private key to ‘./demoCA/private/cakey.pem’ Enter PEM pass phrase: Verifying - Enter PEM pass phrase:

[code]:~# openssl req -new -nodes -subj ‘/CN=Debian-pc-1/O=Mon_Domaine.net/C=FR/ST=Nord de France/emailAddress=Mon_Adresse@gmail.com’ -keyout FOO-key.pem -out FOO-req.pem -days 3650 Generating a 1024 bit RSA private key …++++++ …++++++ writing new private key to ‘FOO-key.pem’

Making CA certificate … Generating a 1024 bit RSA private key …++++++ …++++++ writing new private key to ‘./demoCA/private/cakey.pem’ Enter PEM pass phrase: Verifying - Enter PEM pass phrase:

:~$ openssl req -new -nodes -subj ‘/CN=Debian-pc-1/O=Internet Widgits Pty Ltd/C=FR/ST=Nord/emailAddress=Mon_Adresse@gmail.com’ -keyout FOO-key.pem -out FOO-req.pem -days 3650 Generating a 1024 bit RSA private key …++++++ …++++++ writing new private key to ‘FOO-key.pem’

[code]:~# openssl req -new -nodes -subj ‘/CN=Debian-pc-1/O=Internet Widgits Pty Ltd/C=FR/ST=Nord/emailAddress=Mon_Adresse@gmail.com’ -keyout FOO-key.pem -out FOO-req.pem -days 3650 Generating a 1024 bit RSA private key …++++++ …++++++ writing new private key to ‘FOO-key.pem’

Making CA certificate … Generating a 1024 bit RSA private key …++++++ …++++++ writing new private key to ‘./demoCA/private/cakey.pem’ Enter PEM pass phrase: Verifying - Enter PEM pass phrase:

:~# openssl req -new -nodes -subj ‘/CN=Debian-pc-1/O=Mon_Domaine.ovh.net/C=FR/ST=Nord de France/emailAddress=Mon_Adresse@gmail.com’ -keyout FOO-key.pem -out FOO-req.pem -days 3650 Generating a 1024 bit RSA private key …++++++ …++++++ writing new private key to ‘FOO-key.pem’

Making CA certificate …
Generating a 1024 bit RSA private key
…++++++
…++++++
writing new private key to ‘./demoCA/private/cakey.pem’
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

[code]:~# openssl req -new -nodes -subj ‘/CN=Debian-pc-1/O=Mon_Domaine.net/C=FR/ST=Nord de France/emailAddress=Mon_Adresse@gmail.com’ -keyout FOO-key.pem -out FOO-req.pem -days 3650
Generating a 1024 bit RSA private key
…++++++
…++++++
writing new private key to ‘FOO-key.pem’

Making CA certificate …
Generating a 1024 bit RSA private key
…++++++
…++++++
writing new private key to ‘./demoCA/private/cakey.pem’
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

:~$ openssl req -new -nodes -subj ‘/CN=Debian-pc-1/O=Internet Widgits Pty Ltd/C=FR/ST=Nord/emailAddress=Mon_Adresse@gmail.com’ -keyout FOO-key.pem -out FOO-req.pem -days 3650
Generating a 1024 bit RSA private key
…++++++
…++++++
writing new private key to ‘FOO-key.pem’

[code]:~# openssl req -new -nodes -subj ‘/CN=Debian-pc-1/O=Internet Widgits Pty Ltd/C=FR/ST=Nord/emailAddress=Mon_Adresse@gmail.com’ -keyout FOO-key.pem -out FOO-req.pem -days 3650
Generating a 1024 bit RSA private key
…++++++
…++++++
writing new private key to ‘FOO-key.pem’

Making CA certificate …
Generating a 1024 bit RSA private key
…++++++
…++++++
writing new private key to ‘./demoCA/private/cakey.pem’
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

:~# openssl req -new -nodes -subj ‘/CN=Debian-pc-1/O=Mon_Domaine.ovh.net/C=FR/ST=Nord de France/emailAddress=Mon_Adresse@gmail.com’ -keyout FOO-key.pem -out FOO-req.pem -days 3650
Generating a 1024 bit RSA private key
…++++++
…++++++
writing new private key to ‘FOO-key.pem’