eap-ttls failing

tnt at kalik.net tnt at kalik.net
Tue Jan 27 16:42:43 CET 2009


>I did find the Makefile. Thanks! I tried to do a make caclient.pem but
>it threw this error:
>
>openssl req -new  -out caclient.csr -keyout caclient.key -config
>../client.cnf
>Generating a 2048 bit RSA private key
>............+++
>........+++
>writing new private key to 'caclient.key'
>-----
>openssl ca -batch -keyfile ca.key -cert ca.pem -in caclient.csr  -key
>`grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out caclient.crt
>-extensions xpclient_ext -extfile xpextensions -config ./client.cnf
>Using configuration from ./client.cnf
>wrong number of fields on line 1 (looking for field 6, got 1, '' left)
>make: *** [caclient.crt] Error 1
>
>I dont need to re-do my CA and server cert prior to making the client
>certs do I?
>
>Here is my client.cnf. Its almost as if it doesnt understand that it
>needs to take the values from [ CA_default ]
>
>[ ca ]
>default_ca              = CA_default
>
>[ CA_default ]
>dir                     = ./
>certs                   = $dir
>crl_dir                 = $dir/crl
>database                = $dir/index.txt
>new_certs_dir           = $dir
>certificate             = $dir/server.pem
>serial                  = $dir/serial
>crl                     = $dir/crl.pem
>private_key             = $dir/server.key
>RANDFILE                = $dir/.rand
>name_opt                = ca_default
>cert_opt                = ca_default
>default_days            = 7300
>default_crl_days        = 30
>default_md              = sha1
>preserve                = no
>policy                  = policy_match
>
>[ policy_match ]
>countryName             = match
>stateOrProvinceName     = match
>organizationName        = match
>localityName            = optional
>organizationalUnitName  = optional
>commonName              = supplied
>emailAddress            = optional
>
>[ policy_anything ]
>countryName             = optional
>stateOrProvinceName     = optional
>localityName            = optional
>organizationName        = optional
>organizationalUnitName  = optional
>commonName              = supplied
>emailAddress            = optional
>
>[ req ]
>prompt                  = no
>distinguished_name      = client
>default_bits            = 2048
>input_password          = <hidden>
>output_password         = <hidden>
>
>[client]
>countryName             = US
>stateOrProvinceName     = Michigan
>localityName            = Hancock
>organizationName        = REMC1
>emailAddress            = support at remc1.net
>

I'll check again. You cant make both client and caclient certificates
for the same user (you have to revoke one in order to make the other).
You don't need new CA and server certificates.

Ivan Kalik
Kalik Informatika ISP




More information about the Freeradius-Users mailing list