unsupported certificate purpose

Fri Oct 30 18:51:54 CET 2020

On Oct 30, 2020, at 1:47 PM, murugesh pitchaiah <murugesh.pitchaiah at gmail.com> wrote:
> I generated key and certificate using the openssl.cnf and below steps:

  FreeRADIUS comes with certificate creation scripts in raddb/certs.  The certificates created with those scripts *work*.

> openssl genrsa -aes256 -out key.pem
> openssl req -config openssl.cnf -key key.pem new -sha256 -out csr.pem
> openssl ca -config openssl.cnf -extensions usr_cert -days 375 -notext
> -md sha256 -in csr.pem -out cert.pem

  We don't know what's in the "openssl.cnf" file you're using.  We suggest just using the scripts that are included with FreeRADIUS.

> This generation is done in a linux box with openssl 1.0.2.
> 
> While verifying with openssl 1.1.0 (also using 1.0.2) using below
> steps -  in the ubuntu where freeradius is running - it shows OK.
> 
> openssl verify -CAfile cacert.pem  cert.pem
> cert.pem: OK

  That's good.

> But only freeradius is throwing the error on purpose.

  Again... it's *openssl* which is giving the error to FreeRADIUS.  The server is just reporting it.

> Still i generated a new client certificate without the 'digital
> signature' key usage.

  OpenSSL doesn't like one of the other extensions.  Which one?  I don't know... OpenSSL won't tell us.

  Use the scripts included with FreeRADIUS.  If you need extra OIDs, create certs *without* them, and test.  If that works (and it will), then add OIDs one by one, until it doesn't work.

  That's the OID which is failing.  Why?  OpenSSL won't tell us.

  Alan DeKok.