From: owner-openssl-users@openssl.org On Behalf Of bsteiner@oldworldind.com
Sent: Monday, 03 November, 2008 11:38

I am trying to sign a cert I created using Cleo Lexicom, but get the below
error.

C:\OpenSSL\bin>openssl x509 -req -days 1825 -in owi_inter_root.csr -CA
owi_inter
_root.cer -CAkey owi_inter_root.pem -set_serial 01 -out owi_server.crt

unable to load CA Private Key


To be exact, this is trying to create (and sign) a certificate from a CSR
which you presumably created as stated. (A cert contains most of the data
from the CSR, but not all, and in a different format, and adds other.) Your
..csr is for the same entity as the .cer you specify as CA, which is
selfsigned
but not marked as CA, so this would just produce another selfsigned (and
unmarked) cert, which doesn't appear to accomplish much.

C:\OpenSSL\bin>openssl req -new -x509 -days 1825 -key
owi_inter_root.pem -out te
st.crt
unable to load Private Key


And this would create (and sign) a selfsigned cert for the presumably same
key,
but a possibly different name and certainly(?) serial and period.

Your owi_inter_root.pem is labelled as BEGIN/END PRIVATE KEY (meaning clear)
but appears to actually be a PKCS8 pbe-encrypted bag, presumably containing
the key.
If this is really the key you want to use for your CA, change the labels to
BEGIN/END
ENCRYPTED PRIVATE KEY, and supply the passphrase. And preferably you should
change (regenerate) the related cert to be a CA and allow certsigning (or
equivalent).

But you already have a selfsigned .cer, presumably created by whatever.
If what you want is a cert signed by a distinct CA, you need to use the
CAkey
and CAcert and configuration (and policy if any) for that CA.