[Openswan Users] Generating X 509 certificate problem on Debian Sarge OpenSwan 2.1.3-1

Trevor Hennion trevor at thennion.demon.co.uk
Mon Oct 11 21:08:58 CEST 2004


On Monday 11 Oct 2004 17:45, Joost Kraaijeveld wrote:
> Hi all,
>
> I want to generate a x 509 certificate on a Debian Sarge machine for
> connecting Windows 2000 Roadwarriors.  I followed the recipe as described
> below to the letter (I copy and pasted all text, did not type anything)
> after installing OpenSwan ~2 weeks ago. In step 2 of creating the client
> certificate (/usr/bin/openssl ca -in client01Req.pem -days 730 -out
> client01Cert.pem -passin pass:foobar -notext -cert caCert.pem -keyfile
> caKey.pem.locked )I get the follwing error:
>
> ..
> failed to update database
> TXT_DB error number 2
>
> Anyone any idea what to do?
>
> Groeten,
>
> Joost Kraaijeveld
> Askesis B.V.
> Molukkenstraat 14
> 6524NB Nijmegen
> tel: 024-3888063 / 06-51855277
> fax: 024-3608416
> e-mail: J.Kraaijeveld at Askesis.nl
> web: www.askesis.nl
>
> Recipe:
>
> cd /etc/ipsec.d/
> mkdir ca
> cd ca
> (edit /usr/share/openssl.cnf and change directory ./DemoCA in
> /etc/ipsec.d/ca/)
>
> /usr/bin/openssl req -x509 -days 1460 -newkey rsa:1024 -keyout
> caKey.pem.locked -out caCert.pem -passin pass:foobar -passout pass:foobar
> /usr/bin/openssl rsa -passin pass:foobar -passout pass:foobar -in
> caKey.pem.locked -out caKey.pem
>
> touch index.txt
> echo "01" > serial
> mkdir newcerts
>

Hi,

The error basically means that a certificate already exists using the same CN
details.

Your 'recipe' has a severe limitations!

The lines:
touch indes.txt
echo "01" > serial

seem to suggest that it is only intended to create one certificate.
Even with only one system this becomes a problem if you have to re-issue the
certificate before it expires.

It looks like the 'recipe' is a modification of the OpenSSL DemoCA function.
You could create a new certificate with different CN details.

HTH

Regards

Trevor Hennion


More information about the Users mailing list