I have installed latest SSL (1.1, on VMS 7.3-1), had to de a few copies (overwrite current files with the templates supplied). Created an RANDFILE ($ SH SYS /FULL/OUT=, according Alan Winston's book about the nonstop webserver). However, it seems impossible to create a self-signed certificate. The key-file is created but no certificate file. No error message - until you ask to view the certificate: it simply doesn;t exist. Nowhere within the SSL-strcutures! Creating a CA server doesn't succeed either. No certificates created! Creating a certificate request fails to get past country name. Whatever I enter, it always gives me "invalid input". So I cannot get any further. The documentation doesn't state anything either, or I've read over it.
Any hint of where I got wrong is appreciated...
Willem
Willem Grooters OpenVMS Developer & System Manager
removed product SSL removed directory (was installed on VMS$COMMON:SSL, so i removed this SSL.DIR and all below) removed SYS$STARTUP:SSL$*.COM (startup and shutdown)
installed SSL again, to VMS$COMMON:[SSL] - the default location. Creation of self-signed certificate Ok Creation of CA certificate Ok Creation of certificate request failes on country. Whatever i do, it tells me "Invalid input".
(I want to create my own CA on my webserver so I can control who gets access. These need a certificate as well. the manuals don't tell me how to achieve this...So I just have to try :-( )
Willem
Willem Grooters OpenVMS Developer & System Manager
can you please report the exact commands you use and errors you receive (Obviously after obscuring any confidential information). I do have SSL up (for my OSU webserver) and would like to try and reproduce your problem.
I used SSL$CERT_TOOL.COM - and by that, the different underlaying procedures, as supplied with the kit. I would expect them to work. I haven't tried the plain openssl executable - yet. I also think the documentation is not very clear: how do I create my machine to be a certificate server? My assumption was the CA certificate, but now I doubt that's true....
Willem Grooters OpenVMS Developer & System Manager
well this "tool" is not part of OpenSSL. Since it is made and supported by hp it might be a good idea to pick up the phone and bug them about it. Else you could try to find out what they do in the DCL. Once you got the command they try to execute I will be more than happy to test against a real OpenSSL installation.
Greetings, Martin
P.S. I really try to avoid my "hp has no clue about open source SW" soapbox here :-(
Problem is in SSL$RQST_CERT.COM where size of input is compared with data kept in configuration file. THIS FILE IS WRONG. As far as I could find, in any configuration file, _countryname_upd is either "Y" of "N". Where countryname_max is set this should be set to 2. I changed that - and the problem was solved:
if you feel generous, please send mail to OpenVMSSecurity@hp.com detailing your problem and the bug you have fixed. Maybe it will make it into the next hp SSL version.
