Cert issues

Rudolph Bott r at bott.im
Mon Feb 13 11:30:37 CET 2012


Am 13.02.2012 10:32, schrieb Alan DeKok:
> Please respond to the original email, not a digest, and use a good
> subject line.  It helps other people track the conversation.
>
> Gilmour, Scott wrote:
>> Alan,
>> I already have certificates created on my 2008 Server so I want to 
>> use those certificates on my Ubuntu Server without creating new ones.
>
>   That's fine.

If you use a MS CA please be aware that by default 2k8 CAs create 
certificates signed with SHA-256bit - many systems (including XP and Win 
2003 without a patch) are NOT able to deal with those certificates, as 
they only support SHA1. Once the CA has been setup, there is no easy way 
to change this.

Also, usually MS CAs include some mandatory extensions in their CRLs 
which OpenSSL can not read as well. You need to remove these extensions 
in the CRL configuration.


>
>> You mentioned my openssl configuration is wrong.  Any suggestions on 
>> how I can fix the openssl configuration?
>
>   The file raddb/certs/Makefile creates good certificates.  The *cnf
> files in the same directory create good certificates.  I don't know 
> what
> you're doing different, and it isn't really useful to look.
>
>   Grab the certificate creation commands from the Makefile, and use
> those.  Modify them to point to your files.  It *will* work.
>
>   There's a lot of magic in creating good certs.  That magic is 
> embedded
> in the existing Makefile and config files.  Use them, they will make
> your life easier.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

-- 
Mit freundlichen Grüßen / with kind regards
   Rudolph Bott



More information about the Freeradius-Users mailing list