[openssl-users] SSL_CTX_check_private_key:no certificate assigned

dE de.techno at gmail.com
Sun Mar 1 14:53:57 UTC 2015 

On 03/01/15 19:43, Dr. Stephen Henson wrote:
> On Sun, Mar 01, 2015, dE wrote:
>
>> Hi!
>>
>> I'm trying to create a certificate using openssl library. Here is
>> the code --
>>
>> void main () {
>>      SSL_library_init();
>>      SSL_load_error_strings();
>>      OpenSSL_add_all_algorithms();
>>      char err[1000];
>>      RSA* keypair = RSA_new();
>>      BIGNUM *e = BN_new();
>>      X509 *certificate = X509_new();
>>      EVP_PKEY *certkeypair = EVP_PKEY_new();
>>
>>      BN_set_word(e, 65537);
>>      if (!RSA_generate_key_ex(keypair, 1024, e, NULL))
>>          printf ("key generation failed");
>>      BN_free(e);
>>      e = NULL;
>>
>>      EVP_PKEY_assign_RSA(certkeypair,keypair);
>>
>>      X509_set_version (certificate  , 3);
>>      ASN1_INTEGER_set(X509_get_serialNumber(certificate), 1);
>>
>>      X509_NAME * certnames;
>>      certnames = X509_get_subject_name(certificate);
>>      X509_NAME_add_entry_by_txt(certnames, "C",  MBSTRING_ASC,
>> (unsigned char *)"global", -1, -1, 0);
>>      X509_NAME_add_entry_by_txt(certnames, "O",  MBSTRING_ASC,
>> (unsigned char *)"BIGcoin", -1, -1, 0);
>>      X509_NAME_add_entry_by_txt(certnames, "CN", MBSTRING_ASC,
>> (unsigned char *)"My IP", -1, -1, 0);
>>
>>      X509_set_issuer_name(certificate,certnames);
>>
>>      X509_gmtime_adj(X509_get_notBefore(certificate), -(24*60*60));
>>      X509_gmtime_adj(X509_get_notAfter(certificate), (366*24*60*60));
>>
>>      X509_sign(certificate, certkeypair, EVP_sha512());
>>
>>      const SSL_METHOD* meth;
>>      meth = TLSv1_method();
>>      SSL_CTX* ctx;
>>      ctx = SSL_CTX_new(meth);
>>
>>      SSL_CTX_use_certificate (ctx, certificate);
>>      SSL_CTX_use_PrivateKey (ctx, certkeypair);
>>
>>      if (!SSL_CTX_check_private_key (ctx))
>>          printf ("Signature could not be verified\n");
>>
>>      ERR_error_string(ERR_peek_last_error(), err);
>>          printf ("Error is %s\n", err);
>> }
>>
>> I cant get the created certificate to be verified. It always results in --
>>
>> error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate
>> assigned
> You're missing a call to X509_set_pubkey. Since the certificate doesn't
> contain a public key it is not valid and the TLS code can't check a public key
> which doesn't exist. In fact it wont even get there: if there is no key on a
> certificate OpenSSL will refuse to add it as a certificate in the first place
> (which is why you get the "no certificate" error).
>
> If you checked some of your other functions for errors you'd see what was
> happening: there are probably many more errors in the whole queue but you're
> only seeing the last one.
>
> Check out demos/x509/mkcert.c for an example of how to create a certificate.
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Thank you!

More information about the openssl-users mailing list