OpenSSL "x509 -req" - Error "my_ca.srl: No error"

Q

Why I am getting the "my_ca.srl: No error" error when trying to sign a CSR with OpenSSL "x509" command?

✍: FYIcenter.com

A

You are getting the "my_ca.srl: No error" error when using OpenSSL "x509" command to sign a CSR, because OpenSSL is not able to access the default serial number file: my_ca.srl.

When using "x509" command to sign CSR, you have to use the following options to help OpenSSL to manage how serial number should be provided to the new certificates.

  • Use "-set_serial nnnn" command option to provide the serial number manually.
  • Use "-CAcreateserial" command option to let OpenSSL to create the serial number for you.
  • Use "-CAserial filename" command option to ask OpenSSL to read the serial number from the given file. OpenSSL will also increment the serial number in the file for you.
  • Create a default serial number file with the same file name as the CA certificate with ".srl" file extension. OpenSSL will read and increment the serial number from the this default file.

The test shows you how to create a default serial number file:

C:\Users\fyicenter>copy CON my_ca.srl
1000
<Ctrl-Z>

C:\Users\fyicenter>copy CON my_ca.srl
        613 my_ca.crl
      1,094 my_ca.crt
      1,041 my_ca.key

C:\Users\fyicenter>\local\OpenSSL\openssl

OpenSSL> x509 -req -in my_rsa.csr -CA my_ca.crt -CAkey my_ca.key -out my_rsa.crt

Signature ok
subject=/C=us/ST=NY/L=New York/O=Donald Inc./OU=IT/CN=www.donald.inc/emailAddres
s=john@donald.inc
Getting CA Private Key
Enter pass phrase for my_ca.key:

OpenSSL> x509 -in my_rsa.crt -serial -noout
serial=1001

 

OpenSSL "x509" Command

⇒⇒OpenSSL Tutorials

2018-02-08, 705👍, 0💬