Showing results for 
Search instead for 
Did you mean: 

OpenSSL Error - 'Unable to load config info from <path> error in req'




    OpenSSL tool shows error - 'Unable to load config info from <path> error in req'

    OpenSSL> req -new -newkey rsa:1024 -nodes -keyout mykey.pem -out myreq.pem
    Unable to load config info from c: openssl/ssl/openssl.cnf
    error in req

    This happens as it has been looking for openssl.cnf file to load the config.bin, openssl.cnf would be located in the folder you extract the .zip file to.

    Thus we need to specify the path mentioned below using additional parameter -config :

    OpenSSL> req -new -newkey rsa:1024 -nodes -keyout mykey.pem -out myreq.pem -config "C:\Users\test\downloads\bin\openssl.cnf"
    Loading 'screen' into random state - done
    Generating a 1024 bit RSA private key

    writing new private key to 'mykey.pem'

    Enter information in Certificate Signing Request (CSR)

    Generate a CSR

    Complete these steps in order to generate a CSR:

    • Install and open the OpenSSLapplication. In Windows, by default, openssl.exe is located at C:\ > openssl > bin.

    Note:OpenSSL 0.9.8 is required as the WLC does not currently support OpenSSL 1.0.

    • Issue this command:
    OpenSSL>req -new -newkey rsa:1024 -nodes -keyout mykey.pem -out myreq.pem

    Note: WLCs support a maximum key size of 2048 bits.

    • After you issue the command, there is a prompt for some information: country name, state, city, and so forth.
    • Provide the required information.


    It is important that you provide the correct Common Name. Ensure that the host name that is used to create the certificate (Common Name) matches the Domain Name System (DNS) host name entry for the virtual interface IP on the WLC and that the name exists in the DNS as well. Also, after you make the change to the VIP interface, you must reboot the system in order for this change to take effect.

    Here is an example:

    OpenSSL>req -new -newkey rsa:1024 -nodes -keyout mykey.pem -out myreq.pemLoading 'screen' into random state - done Generating a 1024 bit RSA private key

    ................................................................++++++ ...................................................++++++


    writing new private key to 'mykey.pem'

    ----- You are about to be asked to enter information that will be incorporated into your certificate request.

    What you are about to enter is what is called a Distinguished Name or a DN.

    There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.

    ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:CA Locality Name (eg, city) []:San Jose Organization Name (eg, company) [Internet Widgits Pty Ltd]:ABC Organizational Unit Name (eg, section) []:CDE Common Name (eg, YOUR name) []:XYZ.ABC Email Address []:Test@abc.comPlease enter the following 'extra' attributes to be sent with your certificate request A challenge password []:Test123 An optional company name []: OpenSSL>

    After you provide all the required details, two files are generated:

    • a new private key that includes the name mykey.pem
    • a CSR that includes the name myreq.pem
    • Copy and paste the CSR information into any CA enrollment tool.
    • After you submit the CSR to the third-party CA, the third-party CA digitally signs the certificate and sends back the signed certificate chain through e-mail. In case of chained certificates, you receive the entire chain of certificates from the CA. If you only have one intermediate certificate in our example, you receive these three certificates from the CA:

    Note: Make sure that the certificate is Apache compatible with SHA1 encryption

    • Root certificate.pem
    • Intermediate certificate.pem
    • Device certificate.pem

    Once you have all the three certificates, copy and paste into another file the contents of each .pem file in this order:

    ------BEGIN CERTIFICATE------ *Device cert* ------END CERTIFICATE------ ------BEGIN CERTIFICATE------ *Intermediate CA cert * ------END CERTIFICATE-------- ------BEGIN CERTIFICATE------ *Root CA cert * ------END CERTIFICATE------

    Save the file as All-certs.pem.

    • Combine the All-certs.pem certificate with the private key that you generated along with the CSR (the private key of the device certificate, which is mykey.pem in this example), and save the file as final.pem.

    Issue these commands in the OpenSSL application in order to create the All-certs.pem and final.pem files:

    openssl>pkcs12 -export -in All-certs.pem -inkey mykey.pem -out All-certs.p12 -clcerts -passin pass:check123 -passout pass:check123openssl>pkcs12 -in All-certs.p12 -out final-cert.pem -passin pass:check123 -passout pass:check123


    In this command, you must enter a password for the parameters -passin and -passout . The password that is configured for the -passout parameter must match the certpasswordparameter that is configured on the WLC. In this example, the password that is configured for both the -passin and -passout parameters is check123.

    • final.pemis the file that we need to download to the Wireless LAN Controller. The next step is to download this file to the WLC.

    Additional Information

    The following error has been cropping up on OpenSSL 0.9.8 installs when the user is attempting to create a Certificate Signing Request (CSR) for the WLC:

    OpenSSL> req -new -newkey rsa:2048 -nodes -keyout mykey.pem -out myreq.pem

    Unable to load config info from c:openssl/ssl/openssl.cnf

    error in req


    • Step 1 - Download a valid "openssl.cnf" configuration file.
    • Step 2 - Save "openssl.cnf" to the same folder as your OpenSSL executable (ex openssl.exe)
    • Step 3 - Use the following command to kick off the CSR:

    OpenSSL> req -new -newkey rsa:2048 -nodes -keyout mykey.pem -out myreq.pem -config openssl.cnf

    Video - Installing a 3rd Party SSL Certificate for Guest Access 




    Nice reference ..

    Diego Cairns

    Is this still valid? Now SHA-2 is a must. SSL version 0.9.8 is no longer supported. I am renewing the certificate and using the same version of ssl I used last year but getting "File Transfer failed" on the controller... The only difference this year is that SHA-2 is a must when I regenerate the Godaddy certificate.

    WLC 5508 version

    SSL version: 0.9.8ze



    Abhijit Ashok Aphale
    Community Member

    I am also facing similar issue with

    WLC 5508 version
    SSL version 1.0.1f

    Diego Cairns

    Hi Abhijit,

    I got it to work in the end, this is what worked for me: 

    Run these commands using version “openssl-0.9.8ze-i386-win32”. I run into some issues as the hashing has to be SHA-256 obligatory, so you have to use intermediate and root ca that are on SHA-256 also. 


     req -new -newkey rsa:2048 -nodes -keyout mykeywifi16.pem -out myreqwifi16.pem -sha256 -config openssl.cnf

    req -in myreqwifi16.pem -noout -texf

    This will show you the certitificate req, verify that says 

    Signature Algorithm: sha256WithRSAEncryption

    Copy the certificate request in the Public CA, in my case was Godaddy, then download certificate and paste the contents of the certificate plus the intermidiate and Root on sha 256. In my case is this file of gd_bundle_g2-g1.crt

    The run the following commands copy the file all-certs-wifi16 on the openssl directory

     pkcs12 -export -in all-certs-wifi16.pem -inkey mykeywifi16.pem -out all-certs-wifi16.p12 –clcerts -passin pass:password -passout pass:password


    pkcs12 -in all-certs-wifi16.p12 -out final-cert-wifi16.pem -passin pass:password -passout pass:password

    Then copy the file on the controller adding the password and should work. If you change the final extension from pem to crt you can see the final certificate chained with the intermediate and root ca and plus you can verify that the hashing is SHA-256

    Some useful commands to run on the controller when you tftp the certificate:

    Debug transfer all enable

    Debug pm pki enable

    Hoping this is useful to you.




    Content for Community-Ad