# Using openssl to install Certificate Authority



## indyJones (Mar 23, 2012)

_This is a new thread evolved from the
Discussion about "Keeping Openssl Up to Date" at
http://forums.freebsd.org/showthread.php?p=171433#post171433_


I want to create a Certificate Authority on my server.
I enter this to create my CA:
[cmd=]openssl req -nodes -new -days 3650 -x509 -keyout private/cakey.pem -out cacert.pem[/cmd]

I get this error:

```
Unable to load config info from /etc/ssl/openssl.cnf
```
I see from other posts on this forum, the error shows me that the command cannot find the openssl.cnf file. But, it IS exactly where it says it cannot find it; that is, in /etc/ssl, right where it's "supposed" to be. The other posts point out that the file cannot be found, but they offer no solution as to where it should be put so that it *can* be found.

So, I do a little thinking. Maybe it will be found if I put it in /usr/local/sbin. Nope! Doesn't work. Same error. I try putting it all over the place. I try using soft links to it from other directories. Nope! I even put it into the exact same directory where I will keep my certs. The same directory where I issue the command. Nope! Nope! That does not work either. The file is never found, no matter where I put it.

Did I write the command wrong?
If I try it in the style of other 'nixes, it does not work either. I've tried many variations of the command. So far, no matter what, it never works.

It is suggested to re-copy openssl.cnf "from the original" in /usr/src/crypto/.... There is no such directory on my system! Is that something new for *F*reeBSD 9.0?

I received a PM telling me to try a [cmd=]make install clean[/cmd] of OpenSSL. I upgraded my ports tree with *portsnap*, and did the new install. No change. There is still no /usr/src/crypto/... directory.

Any ideas? What do you think is the solution?

I want to make a CA and sign my own certs for my 7 virtuals.
I am using *F*reeBSD 9.0 with openssl 9.8q.

Thanks.


----------



## kpa (Mar 23, 2012)

/usr/src is the system sources, please see this thread for options how to get the sources for 9.0:

http://forums.freebsd.org/showthread.php?t=29172


----------



## indyJones (Mar 23, 2012)

Well, kpa

Your advice is good.
It worked! 
I have my Certificate Authority.

I used the subversion method to get the stable source.
Holy Mackerel!!! No wonder it was not included with my new vps.
It's HUGE!!! ...and mostly stuff that everybody will never use.

I think I'm now going to spend a whole day removing all of the directories that I definitely do not need. A lot of work ahead of me, but a real learning experience.
Thanks,
~Indy


----------

