certificate client.* non valid on windows XP

Joel MBA OYONE mba_oyone at yahoo.fr
Sun Jul 13 03:36:06 CEST 2008


Thanx a lot guy!

I tried to create my own certificate (that i didn't verify), but i still encounter a problem generating the client certificate: the key file and and the .912 file are empty and i don't know why. (size 0 kb), and it gives no error message!!

i will try the scripts you gave me...

mine are below and could be have a mistake on cleints lines:

-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------

######################################################################
#
#  Create a new self-signed CA certificate
#
######################################################################
# cakey.pem, cacert.pem:
    openssl req -new -x509 -keyout /etc/raddb/Md5CA/Private/cakey.pem -out /etc/raddb/Md5CA/cacert.pem -config /etc/raddb/Md5CA/conf/ca.cnf

ca.der: ca.pem
    openssl x509 -inform PEM -outform DER -in /etc/raddb/Md5CA/cacert.pem -out /etc/raddb/Md5CA/cacert.der

######################################################################




# requete de cerificat server

	openssl req -newkey rsa:1024 -keyout /etc/raddb/Md5CA/keys/radiusserver2_key.pem -out /etc/raddb/Md5CA/req/radiusserver2_cert.req -config /etc/raddb/Md5CA/conf/server.cnf


# Signature du certificat server

	openssl ca -out /etc/raddb/Md5CA/certs/radiusserver2_cert.pem -extensions xpserver_ext -extfile /etc/ssl/xpextensions -infiles /etc/raddb/Md5CA/req/radiusserver2_cert.req

===================================================================================
======================================================================================================================================================================

# requete de cerificat client

	#openssl req -new -nodes -keyout /etc/raddb/Md5CA/keys/toutou_key.pem -out /etc/raddb/Md5CA/req/toutou_cert.req
	openssl req -newkey rsa:1024 -keyout /etc/raddb/Md5CA/keys/toutou_key.pem -out /etc/raddb/Md5CA/req/toutou_cert.req -config /etc/raddb/Md5CA/conf/client.cnf

# Signature du certificat client

	openssl ca -out /etc/raddb/certs/Md5CA/certs/toutou_cert.pem -extensions xpclient_ext -extfile /etc/ssl/xpextensions -infiles /etc/raddb/Md5CA/req/toutou_cert.req

# conversion du certificat client au format pkcs12

	openssl pkcs12 -export -in /etc/raddb/Md5CA/certs/toutou_cert.pem -inkey /etc/raddb/Md5CA/key/toutou_key.pem -out /etc/raddb/Md5CA/certs/p12s/toutou_certs.p12  -clcerts




######################################################################
#
#  Miscellaneous rules.
#
######################################################################
index.txt:
	@touch index.txt

serial:
	@echo '01' > serial

random:
	@if [ -e /dev/urandom ] ; then \
		dd if=/dev/urandom of=./random count=10 >/dev/null 2>&1; \
	else \
		date > ./random; \
	fi

print:
	openssl x509 -text -in server.crt

printca:
	openssl x509 -text -in ca.pem

clean:
	@rm -f *~ *old client.csr client.key client.crt client.p12 client.pem

#
#  Run distclean ONLY if there's a CVS directory, AND it points to
#  cvs.freeradius.org.  Otherwise, it would be easy for administrators
#  to type "make distclean", and destroy their CA and server certificates.
#
distclean:
	@if [ -d CVS -a `grep -i 'cvs\.freeradius\.org' CVS/Root` ] ; then \
		rm -f *~ dh *.csr *.crt *.p12 *.der *.pem *.key index.txt* \
			serial* random *\.0 *\.1; \
	fi



 
MBA OYONE Joël
Lot. El Firdaous
Bât GH20, Porte A 204, Appt 8
20000 Oulfa
Casablanca - Maroc
 
Tél. : +212 69 25 85 70



----- Message d'origine ----
De : Sergio <sergioyebenes at alumnos.upm.es>
À : FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Envoyé le : Lundi, 14 Juillet 2008, 21h50mn 42s
Objet : Re : certificate client.* non valid on windows XP

Reveal MAP escribió:
> Thanx for your help Sergio, but it is exactly the same!! it doesn't work.
>
> ----- Message d'origine ----
> De : Sergio <sergioyebenes at alumnos.upm.es>
> À : FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Envoyé le : Dimanche, 13 Juillet 2008, 18h51mn 41s
> Objet : Re : certificate client.* non valid on windows XP
>
> Reveal MAP escribió:
> > Installing ca.der, server.crt and client.crt, i obtain exactly the
> > same result!!
> >
> > ----- Message d'origine ----
> > De : Sergio <sergioyebenes at alumnos.upm.es 
> <mailto:sergioyebenes at alumnos.upm.es>>
> > À : FreeRadius users mailing list 
> <freeradius-users at lists.freeradius.org 
> <mailto:freeradius-users at lists.freeradius.org>>
> > Envoyé le : Dimanche, 13 Juillet 2008, 16h59mn 38s
> > Objet : Re: Re : certificate client.* non valid on windows XP
> >
> > Reveal MAP escribió:
> > > Thank you Sergio for your answer.
> > >
> > >
> > > - windows says too that one of the certificate authority seems to not
> > > be able to deliver certificate or can't be used as final entity...
> > > so, I tried what you said:  install Server.p12 as intermediate CAr,
> > > without resolving the problem.
> > >
> > > i will try to make my own certs and see. thanks!
> > >
> > > -----
> > >
> > > >
> > > I had the same problem. The fact is that server is an intermediate
> > > authotity and, using internet explorer, you need to install server.p12
> > > into intermediate trusted ca containeer. Also check validity period
> > > (begining date). I had to change windows date to next day, but I don't
> > > remember why. Finally I made my own ca because default radius PKI was
> > > confusing me, and I used mi ca private key to sign client.*
> > > I hope that this help you.
> > > -
> > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> > >
> > > ----- Message d'origine ----
> > > De : Sergio <sergioyebenes at alumnos.upm.es 
> <mailto:sergioyebenes at alumnos.upm.es>
> > <mailto:sergioyebenes at alumnos.upm.es 
> <mailto:sergioyebenes at alumnos.upm.es>>>
> > > À : FreeRadius users mailing list
> > <freeradius-users at lists.freeradius.org 
> <mailto:freeradius-users at lists.freeradius.org>
> > <mailto:freeradius-users at lists.freeradius.org 
> <mailto:freeradius-users at lists.freeradius.org>>>
> > > Envoyé le : Dimanche, 13 Juillet 2008, 16h09mn 34s
> > > Objet : Re: certificate client.* non valid on windows XP
> > >
> > > Reveal MAP escribió:
> > > > hi,
> > > >
> > > > I use freeradius 2.0.5 and openSUSE 10.3
> > > >
> > > > i ran "bootstrap" script + "make client.pem", "make.client.p12",
> > > > - I imported "ca.der" on my xp laptop, located at the CA Authorithy
> > > > containeer.
> > > > I imported server.p12 too (just to verify the signature) and
> > > > everything is Ok
> > > > - But when i import client.p12, windows says me this certificated is
> > > > not valid! and i dont know why.
> > > >
> > > > I executed two commands: server.vrfy and client.vrfy, hoping their
> > > > output (below) could help.
> > > >
> > > >
> > > > Thank you for helping
> > > >
> > >
> > 
> -------------------------------------------------------------------------------------------------
> > > > linux:/etc/raddb/certs # make server.vrfy
> > > > openssl verify -CAfile ca.pem server.pem
> > > > server.pem: OK
> > > >
> > > >
> > > > make client.vrfy
> > > > openssl pkcs12 -export -in server.crt -inkey server.key -out
> > > > server.p12  -passin pass:`grep output_password server.cnf | sed
> > > > 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf |
> > > > sed 's/.*=//;s/^ *//'`
> > > > openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep
> > > > output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout
> > > > pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'`
> > > > MAC verified OK
> > > > openssl pkcs12 -export -in client.crt -inkey client.key -out
> > > > client.p12  -passin pass:`grep output_password client.cnf | sed
> > > > 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf |
> > > > sed 's/.*=//;s/^ *//'`
> > > > openssl pkcs12 -in client.p12 -out client.pem -passin pass:`grep
> > > > output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout
> > > > pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'`
> > > > MAC verified OK
> > > > cp client.pem `grep emailAddress client.cnf | grep '@' | sed
> > > > 's/.*=//;s/^ *//'`.pem
> > > > c_rehash .
> > > > Doing .
> > > > 02.pem => eee97f35.0
> > > > WARNING: Skipping duplicate certificate user at example.com.pem 
> <mailto:user at example.com.pem>
> > <mailto:user at example.com.pem <mailto:user at example.com.pem>>
> > > <mailto:user at example.com.pem <mailto:user at example.com.pem> 
> <mailto:user at example.com.pem <mailto:user at example.com.pem>>>
> > > > client.pem => 583a9f4b.0
> > > > 01.pem => dcd1729a.0
> > > > WARNING: Skipping duplicate certificate user2 at example.com.pem 
> <mailto:user2 at example.com.pem>
> > <mailto:user2 at example.com.pem <mailto:user2 at example.com.pem>>
> > > <mailto:user2 at example.com.pem <mailto:user2 at example.com.pem> 
> <mailto:user2 at example.com.pem <mailto:user2 at example.com.pem>>>
> > > > server.pem => dcd1729a.1
> > > > WARNING: Skipping duplicate certificate 03.pem
> > > > WARNING: Skipping duplicate certificate 04.pem
> > > > ca.pem => 23537b55.0
> > > > openssl verify -CApath . client.pem
> > > > client.pem: OK
> > > >
> > > >
> > ------------------------------------------------------------------------
> > > > Envoyé avec Yahoo! Mail
> > > >
> > >
> > 
> <http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html>.
> > > > Une boite mail plus intelligente.
> > > >
> > > > __________ Informaci�n de NOD32, revisi�n 3263 (20080711) __________
> > > >
> > > > Este mensaje ha sido analizado con NOD32 antivirus system
> > > > http://www.nod32.com
> > > >
> > ------------------------------------------------------------------------
> > > >
> > > > -
> > > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> > > >
> > > >
> > > > __________ Información de NOD32, revisión 3263 (20080711) __________
> > > >
> > > > Este mensaje ha sido analizado con NOD32 antivirus system
> > > > http://www.nod32.com
> > >
> > >
> > > 
> ------------------------------------------------------------------------
> > > Envoyé avec Yahoo! Mail
> > >
> > 
> <http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html>.
> > > Une boite mail plus intelligente.
> > >
> > > __________ Informaci�n de NOD32, revisi�n 3263 (20080711) __________
> > >
> > > Este mensaje ha sido analizado con NOD32 antivirus system
> > > http://www.nod32.com
> > > 
> ------------------------------------------------------------------------
> > >
> > > -
> > > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> > >
> > >
> > > __________ Información de NOD32, revisión 3263 (20080711) __________
> > >
> > > Este mensaje ha sido analizado con NOD32 antivirus system
> > > http://www.nod32.com
> > >
> > Try to install server.cer, not server.p12 into intermediate containeer.
> > open client cert with IE and see certification route. If you can see the
> > 3 level route but client cert isn't ok, check dates. I'm sure this 
> works.
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> > ------------------------------------------------------------------------
> > Envoyé avec Yahoo! Mail
> > 
> <http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html>.
> > Une boite mail plus intelligente.
> >
> > __________ Informaci�n de NOD32, revisi�n 3263 (20080711) __________
> >
> > Este mensaje ha sido analizado con NOD32 antivirus system
> > http://www.nod32.com
> > ------------------------------------------------------------------------
> >
> > -
> > List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> >
> >
> > __________ Información de NOD32, revisión 3263 (20080711) __________
> >
> > Este mensaje ha sido analizado con NOD32 antivirus system
> > http://www.nod32.com
> > 
> If you install client.crt you only have installed client public key. DER
> format (crt, cer, der) usually contains only public key. p12 format
> contains public and private key. Because of this, and because server is
> your signer, you should install ca.der, server.crt and client.p12 into
> root, intermediate, and personal containeers, respectively and with this
> order to be sure.
>
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>
> ------------------------------------------------------------------------
> Envoyé avec Yahoo! Mail 
> <http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html>.
> Une boite mail plus intelligente.
> ------------------------------------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
> __________ Información de NOD32, revisión 3263 (20080711) __________
>
> Este mensaje ha sido analizado con NOD32 antivirus system
> http://www.nod32.com
>  
I think it can be Extended Key Usage field into server cert. It brings 
client authentication and probably IE isn't clever enough. But default 
configuration append xp extensions and should work......I don't 
understand.......firefox hasn't got intermediate ca containeer, but it 
installs cert into root container and recognizes the route. You can see 
this link, it's spanish, but there are 3 shell scripts, commented in 
english, to build all the pki. be carefully with demoCA/ dir.
http://www.blyx.com/public/wireless/wpa+eap-tls+radius/hotwo-wpa+eap-tls+freeradius.pdf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


      _____________________________________________________________________________ 
Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080713/afc19d41/attachment.html>


More information about the Freeradius-Users mailing list