Those paths need to correspond to those set in the "[ CA_default ]" section of the openssl.cnf file.
E.g.
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = somedir/ca_dir # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
unique_subject = no # Set to 'no' to allow creation of # several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/certs/ca_cert.pem
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/ca_key.pem
RANDFILE = $dir/.rand # private random number file
Here's a recipe for generating a CA directory for testing.
It assumes you have already generated a CA key and cert.
touch $CA_DIR/index.txt
echo '1000' > $CA_DIR/serial
echo '1000' > $CA_DIR/crlnumber
mkdir -m 700 $CA_DIR/newcerts
mkdir -m 700 $CA_DIR/private
mkdir $CA_DIR/certs
cp $CA_KEY $CA_DIR/ private/ ca_key. pem private/ ca_key. pem
chmod 600 $CA_DIR/
cp $CA_CERT $CA_DIR/ certs/ca_ cert.pem
Those paths need to correspond to those set in the "[ CA_default ]" section of the openssl.cnf file.
E.g.
[ ca ] ####### ####### ####### ####### ####### ####### ####### ####### #####
# several ctificates with same subject.
default_ca = CA_default # The default ca section
#######
[ CA_default ]
dir = somedir/ca_dir # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
unique_subject = no # Set to 'no' to allow creation of
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/certs/ ca_cert. pem
# must be commented out to leave a V1 CRL ca_key. pem
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/
RANDFILE = $dir/.rand # private random number file
The initial crl file can be generated like so:
cat ca_key_ passphrase_ file.txt | openssl ca -gencrl -out $CA_DIR/crl.pem -config /path/to/ test.openssl. cnf -passin stdin
Use 'openssl req' to generate the cert request private key.
Use 'openssl spkac' to generate the spkac cert request data.