Server certificate confusion
Nick Howitt
nick at howitts.co.uk
Wed Apr 18 11:40:06 CEST 2018
On 17/04/2018 14:35, Nick Howitt wrote:
>
>
> On 17/04/2018 13:55, Alan DeKok wrote:
>> On Apr 17, 2018, at 5:24 AM, Nick Howitt <nick at howitts.co.uk> wrote:
>>> Replying to my own post.
>>>
>>> There was a permission problem which I've now fixed, but I still get
>>> failure:
>>> eapol_test:
>>>
>>> (6) eap_tls: ERROR: SSL says error 26 : unsupported certificate
>>> purpose
>> That means that the certificate hierarchy is wrong. i.e. cert A
>> has created cert B, but cert A doesn't have OIDs which say it's
>> allowed to create sub-certificates.
>>
>> Newer versions of OpenSSL check these settings. Older versions of
>> OpenSSL didn't do that.
>>
>> How did you create the certificates? The scripts in the
>> raddb/certs directory should work, so using those would probably help.
>>
>> Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
> Thanks for the reply. The distro, ClearOS is working in a slightly
> funny way. The CA is created from (adjusted expanding the variables
> with the config file):
> openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep
> default_days /etc/raddb/certs/ca.cnf | sed 's/.*=//;s/^ *//'` -config
> /etc/raddb/certs/ca.cnf
>
> It is a little tortuous with how it gets here, but it is using the
> default ca.cnf file using freeradius-3.0.13-8.el7_4.x86_64. Checking
> the generated CA, I see:
> X509v3 Basic Constraints: critical
> CA:TRUE
>
> Nick
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
Hello Alan,
I've reverted the set up to use the standard Freeradius certs and I've
been through the certs README, deleting all certificates and recreating
the ca.pem and server certs (btw I think the order in the README is
wrong as you need to create the server.csr before the server.pem) and
I've hit the same "(6) eap_tls: ERROR: SSL says error 26 : unsupported
certificate purpose" issue when running eapol_test with the new certs.
If I remove the "-extensions xpserver_ext -extfile xpextensions" from
the makefile and recreate the server.pem, the eapol_test passes but
presumably the certs will be rejected by M$ Windows.
Regards,
Nick
More information about the Freeradius-Users
mailing list