[openssl-users] SSL_CTX_check_private_key:no certificate assigned

Dr. Stephen Henson steve at openssl.org
Sun Mar 1 14:13:32 UTC 2015 

On Sun, Mar 01, 2015, dE wrote:

> Hi!
> 
> I'm trying to create a certificate using openssl library. Here is
> the code --
> 
> void main () {
>     SSL_library_init();
>     SSL_load_error_strings();
>     OpenSSL_add_all_algorithms();
>     char err[1000];
>     RSA* keypair = RSA_new();
>     BIGNUM *e = BN_new();
>     X509 *certificate = X509_new();
>     EVP_PKEY *certkeypair = EVP_PKEY_new();
> 
>     BN_set_word(e, 65537);
>     if (!RSA_generate_key_ex(keypair, 1024, e, NULL))
>         printf ("key generation failed");
>     BN_free(e);
>     e = NULL;
> 
>     EVP_PKEY_assign_RSA(certkeypair,keypair);
> 
>     X509_set_version (certificate  , 3);
>     ASN1_INTEGER_set(X509_get_serialNumber(certificate), 1);
> 
>     X509_NAME * certnames;
>     certnames = X509_get_subject_name(certificate);
>     X509_NAME_add_entry_by_txt(certnames, "C",  MBSTRING_ASC,
> (unsigned char *)"global", -1, -1, 0);
>     X509_NAME_add_entry_by_txt(certnames, "O",  MBSTRING_ASC,
> (unsigned char *)"BIGcoin", -1, -1, 0);
>     X509_NAME_add_entry_by_txt(certnames, "CN", MBSTRING_ASC,
> (unsigned char *)"My IP", -1, -1, 0);
> 
>     X509_set_issuer_name(certificate,certnames);
> 
>     X509_gmtime_adj(X509_get_notBefore(certificate), -(24*60*60));
>     X509_gmtime_adj(X509_get_notAfter(certificate), (366*24*60*60));
> 
>     X509_sign(certificate, certkeypair, EVP_sha512());
> 
>     const SSL_METHOD* meth;
>     meth = TLSv1_method();
>     SSL_CTX* ctx;
>     ctx = SSL_CTX_new(meth);
> 
>     SSL_CTX_use_certificate (ctx, certificate);
>     SSL_CTX_use_PrivateKey (ctx, certkeypair);
> 
>     if (!SSL_CTX_check_private_key (ctx))
>         printf ("Signature could not be verified\n");
> 
>     ERR_error_string(ERR_peek_last_error(), err);
>         printf ("Error is %s\n", err);
> }
> 
> I cant get the created certificate to be verified. It always results in --
> 
> error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate
> assigned

You're missing a call to X509_set_pubkey. Since the certificate doesn't
contain a public key it is not valid and the TLS code can't check a public key
which doesn't exist. In fact it wont even get there: if there is no key on a
certificate OpenSSL will refuse to add it as a certificate in the first place
(which is why you get the "no certificate" error).

If you checked some of your other functions for errors you'd see what was
happening: there are probably many more errors in the whole queue but you're
only seeing the last one.

Check out demos/x509/mkcert.c for an example of how to create a certificate.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

More information about the openssl-users mailing list