openssl - CA.pl and CA.sh fail creating rootCA

asc12345 · May 11, 2010, 6:23pm

I’m getting a segv when trying to run CA.pl/.sh to create a rootCA:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password ]:
An optional company name ]:
unknown option -create_serial
usage: ca args

-verbose - Talk alot while doing things
-config file - A config file
-name arg - The particular CA definition to use
-gencrl - Generate a new CRL
-crldays days - Days is when the next CRL is due
-crlhours hours - Hours is when the next CRL is due
-startdate YYMMDDHHMMSSZ - certificate validity notBefore
-enddate YYMMDDHHMMSSZ - certificate validity notAfter (overrides -days)
-days arg - number of days to certify the certificate for
-md arg - md to use, one of md2, md5, sha or sha1
-policy arg - The CA ‘policy’ to support
-keyfile arg - private key file
-keyform arg - private key file format (PEM or ENGINE)
-key arg - key to decode the private key if it is encrypted
-cert file - The CA certificate
-in file - The input PEM encoded certificate request(s)
-out file - Where to put the output file(s)
-outdir dir - Where to put output certificates
-infiles … - The last argument, requests to process
-spkac file - File contains DN and signed public key and challenge
-ss_cert file - File contains a self signed cert to sign
-preserveDN - Don’t re-order the DN
-noemailDN - Don’t add the EMAIL field into certificate’ subject
-batch - Don’t ask questions
-msie_hack - msie modifications to handle all those universal strings
-revoke file - Revoke a certificate (given in file)
-subj arg - Use arg instead of request’s subject
-extensions … - Extension section (override value in config file)
-extfile file - Configuration file with X509v3 extentions to add
-crlexts … - CRL extension section (override value in config file)
-engine e - use engine e, possibly a hardware device.
-status serial - Shows certificate status given the serial number
-updatedb - Updates db for expired certificates
./CA.sh: line 197: 10495 Segmentation fault $CA -create_serial -out ${CATOP}/$CACERT $CADAYS -batch -keyfile ${CATOP}/private/$CAKEY -selfsign -extensions v3_ca -infiles ${CATOP}/$CAREQ

I tried removing the -create_serial option and then it complains about the -selfsign option. Removed that too - but it just errors out, never creating my root ca cert.

Any one encountered this before? Happens with openssl 0.9.8m/1.0.0 on suse linux 9.

Thanks in advance!

ken_yap · May 12, 2010, 12:05am

CA.sh and CA.pl are just frontends to the openssl program. It’s not normal for this to segfault. Was the openssl program obtained from somewhere else?

asc12345 · May 12, 2010, 1:07am

No, just downloaded from openssl.org - both versions (0.98/1.00) build and compiled fine, but choke at the same point.

ken_yap · May 12, 2010, 1:13am

Probably some incompatibility with your environment, maybe go back and check the build requisites. Are you using SUSE Linux 9 or SLES 9? Can you get it from a repo somewhere in the case of SLES?