Hi Chris,

This works !!.. Thanks wink


Hello All,

I am trying to link statically to wolfSSL without success. This is process I follow:

./configure --enable-webServer --enable-static --disable-shared --prefix=<path to external_libs> --exec-prefix=< path to external_libs > CXXFLAGS="-fPIC"
    make install

This produces the files in the given prefix directory.

Then, in my makefile I link it using :

EXTERNAL_LIBS = -L../external_libs/lib/ ../external_libs/lib/libcyassl.a -lcryptopp \

When I compile my program, I get the following error:

-L../external_libs/lib/ ../external_libs/lib/libcyassl.a -lcryptopp /usr/lib/libboost_serialization.so.1.49.0
/usr/bin/ld: ../external_libs/lib/libcyassl.a(src_libcyassl_la-ssl.o): relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a shared object; recompile with -fPIC
../external_libs/lib/libcyassl.a: could not read symbols: Bad value
collect2: error: ld returned 1 exit status

I am unable to figure out what is wrong as I am using the -fPIC flag. Please help.



(5 replies, posted in wolfSSL (formerly CyaSSL))

Ok thanks. Well the project is more like an academic research project. I started using cyassl for secure socket communication and crypto++ was already used for various encryption and signing tasks.


(5 replies, posted in wolfSSL (formerly CyaSSL))

Another quick question... Is there a way to convert the generated RSA key into PKCS #8 format using cyassl?? (Key is also generated using cyassl embedded SSL).

Basically I am looking to interoperate the keys with crypto++ library. To load a key into crypto++, the key has to be in PKCS #8 format and DER encoded. The current keys generated using cyassl dont work with crypto++ and i get BER decode error. I believe this is as the key is not in PKCS #8 format.



(5 replies, posted in wolfSSL (formerly CyaSSL))

Thanks Chris !


I was looking through the functionality provided by ctaocrypt for signing and verifying data. Though I found RsaSSL_Sign and RsaSSL_Verify, i'm not sure how to use it.

Generally we use a private key to sign and public key to verify the signature.  But the test.c file uses the same key to sign and verify. Am I missing something here?

Also,  http://yassl.com/yaSSL/Docs-cyassl-manu … cates.html shows how to generate an RSA key. This is a private key. What about public key??



Hi Todd,

Thanks for looking into it. I'm using openssl version 0.9.8. In case you do comeup with a patch, please inform me. I really appreciate your support.



Hi Todd,

The mismatch was due to various iterations. So I set up CA from the scratch , but i'm not able to find out where the problem is. I just feel that i'm missing something either in key generation or in the echo server/echo client examples..

I've attached the codebase i'm using for echo server and echo client. Clicert.pem and Clikey.pem are generated from openssl while new_key.pem and new_cert.pem are generated using the code i've posted earlier.

Could you please look at it and help me?


Hi Todd,

In fact I have used CyaSSL_CTX_load_verify_locations() with ca-cert.pem on the echo server. Now i also tried using different names for and certs than what wolfSSL uses in the examples. But, still i'm stuck with the same problem. Keys and certificates generated from code don't seem to work.


I have attached the client files from openssl and via the code above. The only difference i can see is in the start and end dates and version.

Hi Chris,

Well that didn't help much.  Using the ca-key and ca-cert, I want to generate client keys from code. Then I want to authenticate the client when it tries to connect to the server. I have included the key generation and other required code below.

Here is what I did:

1) Generate CA key and certificate as you have specified
2) Generate Server key and certificate as specified
3) Use the CA key and CA certificate in the below code to generate Client certificate and key

// Key generation

RsaKey genkey;
    RNG rng;
    int ret;
    FILE* fp;

    InitRsaKey(&genkey, 0);

    ret = MakeRsaKey(&genkey,1024,65537,&rng);

    byte der[4096];
    byte pem[4096];

    int derSz = RsaKeyToDer(&genkey,der,sizeof(der));

    if(derSz < 0)
        printf("DER error\n");

    int pemSz = DerToPem(der,derSz,pem,sizeof(pem),PRIVATEKEY_TYPE);

    if(pemSz < 0)
        printf("PEM error\n");

    fp = fopen("client-key.pem","w+");


    fp = fopen("client-key.der","w+");



    printf("Now time for certificate..\n");

// Certificate Generation and signing by CA certificate

RsaKey      caKey;
        Cert        myCert;
        byte        derCert[4096];
        byte        pemCert[4096];
        FILE*       derFile;
        FILE*       pemFile;
        int         certSz;
        byte        tmp[2048];
        size_t      bytes;
        word32      idx = 0;

    FILE*  file = fopen("ca-key.der", "rb");

        if (!file)
            return -412;

        bytes = fread(tmp, 1, sizeof(tmp), file);

        InitRsaKey(&caKey, 0);  
        ret = RsaPrivateKeyDecode(tmp, &idx, &caKey, (word32)bytes);
        if (ret != 0) 
        printf("Problem decoding private key\n");    
        return -413;

    strncpy(myCert.subject.country, "US", CTC_NAME_SIZE);
        strncpy(myCert.subject.state, "Arizona", CTC_NAME_SIZE);
        strncpy(myCert.subject.locality, "Tucson", CTC_NAME_SIZE);
        strncpy(myCert.subject.org, "Certificate Authority", CTC_NAME_SIZE);
        strncpy(myCert.subject.unit, "UA", CTC_NAME_SIZE);
        strncpy(myCert.subject.commonName, "Client", CTC_NAME_SIZE);
        strncpy(myCert.subject.email, "ca@provenance.edu", CTC_NAME_SIZE);
    myCert.selfSigned = 0;
    myCert.daysValid = 30;
    ret = SetIssuer(&myCert,"ca-cert.pem");

    if(ret < 0)
    printf("Problem setting issuer..\n");

    certSz = MakeCert(&myCert, derCert, sizeof(derCert), &genkey, &rng); 
        if (certSz < 0)
        printf("Problem with Make cert\n");            
        return -407;

        certSz = SignCert(&myCert, derCert, sizeof(derCert), &caKey, &rng);
        if (certSz < 0)
        printf("Problem with signing certificate\n");            
        return -408;

    int someSz = -1;
    someSz = DerToPem(derCert,certSz,pemCert,sizeof(pemCert),CERT_TYPE);
       if (someSz < 0)
        printf("Problem in conversion from DER to PEM\n");            
        return -409;
        printf("Size is %d\n",someSz);
    FILE* certfp;
    certfp = fopen("client-cert.pem","w+");


    certfp = fopen("client-cert.der","w+");


4) In EchoClient, I add the following code block before creating socket file descriptor:

if (CyaSSL_CTX_use_certificate_file(ctx,"./client-cert.pem",SSL_FILETYPE_PEM)!= SSL_SUCCESS) {
       fprintf(stderr, "Error loading ./clientcert.pem, please check the file.\n");

    if (CyaSSL_CTX_use_PrivateKey_file(ctx,"./client-key.pem", 
                SSL_FILETYPE_PEM) != SSL_SUCCESS) {
       fprintf(stderr, "Error loading ./clientkey.pem, please check the file.\n");
    CyaSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER |  SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);    

5) In EchoServer, I add the following line before the socket file descriptor:


As soon as I type something in echo client and press Enter, I get read error -155.

If I create the client key and client certificate using openssl (i.e., the way we created server key and server certificate), everything works.

So I believe there is something wrong in my key and certificate generation code, but i'm unable to figure it out.


Hi Chris,

Here are the commands used to generate the CA key and certificate:

$ openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem
$ openssl x509 -req -in rootreq.pem -sha1 -extfile provenance.cnf -extensions certificate_extensions -signkey rootkey.pem -out rootcert.pem

Just as pure guess work, I tried converting this key from PEM to DER and it worked !.. But, I'm not able to use these keys with the echo client and echo server examples..

If you need more info. i can share it with you.. Currently, I have a rootCA which creates and signs a serverCA. I have done this using openssl. After this, the rootCA creates and signs client certificates and keys. The serverCA creates and signs server certificates and keys. Though i'm able to generate the keys after using DER format for the private key, i'm unable to use it with the echoclient and echoserver examples. I get a write failed and read error at the two ends.

Using openssl to generate the same client and server keys work. So I think i'm missing something while generating the keys and certificates. (Self signed certificates work seamlessly. )

Looking for your insight on this as i'm relatively new to ssl.


ok thanks..another question..if I try to self sign the generated  certificates everything is fine. But, if I try to sign it with a CA private key,(i setup a ca using openssl and am trying to use its private key) i get an error while trying to decode the private key..

specifically i get an error here :

ret = RsaPrivateKeyDecode(tmp,&idx,&caKey,(word32)bytes);

Is there anything wrong is using the private key of ca from openssl??

Thanks Chris..it worked.. Is there any reason why I have to add this during the build process??


I am trying to generate certificates using the code given in chapter 7 and test.c, but i'm unable to compile.  During configuration, i have used --enable-certgen.

This is the piece of code i have in certificate.c :

#include <string.h>
#include <stdio.h>
#include <stdlib.h>

#include <cyassl/ctaocrypt/asn.h>

int main()
            Cert myCertificate;

          // Other code as given in example
            return 0;

I get "Cert undeclared" error. I'm unable to figure out why this is happening. Generating RSA keys works fine, but as soon as I declare a variable to generate certificate, I get this error.

Hoping to find some assistance.