Introduction
OpenSSL tool shows error - 'Unable to load config info from <path> error in req'
OpenSSL> req -new -newkey rsa:1024 -nodes -keyout mykey.pem -out myreq.pem
Unable to load config info from c: openssl/ssl/openssl.cnf
error in req
This happens as it has been looking for openssl.cnf file to load the config.bin, openssl.cnf would be located in the folder you extract the .zip file to.
Thus we need to specify the path mentioned below using additional parameter -config :
OpenSSL> req -new -newkey rsa:1024 -nodes -keyout mykey.pem -out myreq.pem -config "C:\Users\test\downloads\bin\openssl.cnf"
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
writing new private key to 'mykey.pem'
Enter information in Certificate Signing Request (CSR)
Generate a CSR
Complete these steps in order to generate a CSR:
- Install and open the OpenSSLapplication. In Windows, by default, openssl.exe is located at C:\ > openssl > bin.
Note:OpenSSL 0.9.8 is required as the WLC does not currently support OpenSSL 1.0.
- Issue this command:
OpenSSL>req -new -newkey rsa:1024 -nodes -keyout mykey.pem -out myreq.pem
Note: WLCs support a maximum key size of 2048 bits.
- After you issue the command, there is a prompt for some information: country name, state, city, and so forth.
- Provide the required information.
Note:
It is important that you provide the correct Common Name. Ensure that the host name that is used to create the certificate (Common Name) matches the Domain Name System (DNS) host name entry for the virtual interface IP on the WLC and that the name exists in the DNS as well. Also, after you make the change to the VIP interface, you must reboot the system in order for this change to take effect.
Here is an example:
OpenSSL>req -new -newkey rsa:1024 -nodes -keyout mykey.pem -out myreq.pemLoading 'screen' into random state - done Generating a 1024 bit RSA private key
................................................................++++++ ...................................................++++++
writing new private key to 'mykey.pem'
----- You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.
----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:CA Locality Name (eg, city) []:San Jose Organization Name (eg, company) [Internet Widgits Pty Ltd]:ABC Organizational Unit Name (eg, section) []:CDE Common Name (eg, YOUR name) []:XYZ.ABC Email Address []:Test@abc.comPlease enter the following 'extra' attributes to be sent with your certificate request A challenge password []:Test123 An optional company name []: OpenSSL>
After you provide all the required details, two files are generated:
- a new private key that includes the name mykey.pem
- a CSR that includes the name myreq.pem
- Copy and paste the CSR information into any CA enrollment tool.
- After you submit the CSR to the third-party CA, the third-party CA digitally signs the certificate and sends back the signed certificate chain through e-mail. In case of chained certificates, you receive the entire chain of certificates from the CA. If you only have one intermediate certificate in our example, you receive these three certificates from the CA:
Note: Make sure that the certificate is Apache compatible with SHA1 encryption
- Root certificate.pem
- Intermediate certificate.pem
- Device certificate.pem
Once you have all the three certificates, copy and paste into another file the contents of each .pem file in this order:
------BEGIN CERTIFICATE------ *Device cert* ------END CERTIFICATE------ ------BEGIN CERTIFICATE------ *Intermediate CA cert * ------END CERTIFICATE-------- ------BEGIN CERTIFICATE------ *Root CA cert * ------END CERTIFICATE------
Save the file as All-certs.pem.
- Combine the All-certs.pem certificate with the private key that you generated along with the CSR (the private key of the device certificate, which is mykey.pem in this example), and save the file as final.pem.
Issue these commands in the OpenSSL application in order to create the All-certs.pem and final.pem files:
openssl>pkcs12 -export -in All-certs.pem -inkey mykey.pem -out All-certs.p12 -clcerts -passin pass:check123 -passout pass:check123openssl>pkcs12 -in All-certs.p12 -out final-cert.pem -passin pass:check123 -passout pass:check123
Note:
In this command, you must enter a password for the parameters -passin and -passout . The password that is configured for the -passout parameter must match the certpasswordparameter that is configured on the WLC. In this example, the password that is configured for both the -passin and -passout parameters is check123.
- final.pemis the file that we need to download to the Wireless LAN Controller. The next step is to download this file to the WLC.
Additional Information
The following error has been cropping up on OpenSSL 0.9.8 installs when the user is attempting to create a Certificate Signing Request (CSR) for the WLC:
OpenSSL> req -new -newkey rsa:2048 -nodes -keyout mykey.pem -out myreq.pem
Unable to load config info from c:openssl/ssl/openssl.cnf
error in req
Fix
- Step 1 - Download a valid "openssl.cnf" configuration file.
- Step 2 - Save "openssl.cnf" to the same folder as your OpenSSL executable (ex openssl.exe)
- Step 3 - Use the following command to kick off the CSR:
OpenSSL> req -new -newkey rsa:2048 -nodes -keyout mykey.pem -out myreq.pem -config openssl.cnf
Video - Installing a 3rd Party SSL Certificate for Guest Access
Reference
- Generate CSR for Third-Party Certificates and Download Chained Certificates to the WLC
- Generate CSR for Third-Party Certificates and Download Unchained Certificates to the WLC
- Installing a 3rd Party SSL Certificate for Guest Access
- This document was generated from the following discussion: CSR Generation - OpenSSL error: "Unable to load config info from"
