From: On Behalf Of
Sent: Monday, 03 November, 2008 11:38

I am trying to sign a cert I created using Cleo Lexicom, but get the below

C:\OpenSSL\bin>openssl x509 -req -days 1825 -in owi_inter_root.csr -CA
_root.cer -CAkey owi_inter_root.pem -set_serial 01 -out owi_server.crt

unable to load CA Private Key

To be exact, this is trying to create (and sign) a certificate from a CSR
which you presumably created as stated. (A cert contains most of the data
from the CSR, but not all, and in a different format, and adds other.) Your
..csr is for the same entity as the .cer you specify as CA, which is
but not marked as CA, so this would just produce another selfsigned (and
unmarked) cert, which doesn't appear to accomplish much.

C:\OpenSSL\bin>openssl req -new -x509 -days 1825 -key
owi_inter_root.pem -out te
unable to load Private Key

And this would create (and sign) a selfsigned cert for the presumably same
but a possibly different name and certainly(?) serial and period.

Your owi_inter_root.pem is labelled as BEGIN/END PRIVATE KEY (meaning clear)
but appears to actually be a PKCS8 pbe-encrypted bag, presumably containing
the key.
If this is really the key you want to use for your CA, change the labels to
ENCRYPTED PRIVATE KEY, and supply the passphrase. And preferably you should
change (regenerate) the related cert to be a CA and allow certsigning (or

But you already have a selfsigned .cer, presumably created by whatever.
If what you want is a cert signed by a distinct CA, you need to use the
and CAcert and configuration (and policy if any) for that CA.