<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Hi,<o:p></o:p></p>
<p class="MsoNormal">I have Ubuntu Server installed and I have a Windows 2008 Server Certificate Authority<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none">When I type th<span style="color:#1F497D">e</span> openssl command I keep on getting this error<span style="color:#1F497D">:
</span><span lang="EN">CA certificate and CA private key do not match<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"> Any help or suggestions would be appreciated.<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none">Thanks<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none">Scott<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none">Ps. I was able to get Samba to work after loading the lates server Ubuntu 11.10. Thanks for everyones help.<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN">root@FreeRadius:/etc/freeradius/certs# openssl ca -policy policy_anything -out certificate.pem -passin pass:enterasys -key enterasys -extensions xpserver_ext -extfile xpextensions -infiles server.csr<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN">Using configuration from /usr/lib/ssl/openssl.cnf<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN">CA certificate and CA private key do not match<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN">3074058392:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:318:<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN">root@FreeRadius:/etc/freeradius/certs#
<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN">root@FreeRadius:/etc/freeradius/certs# openssl req -new -nodes -keyout mykey.pem -out server.csrGenerating a 1024 bit RSA private key<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN">.......++++++<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN">........++++++<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN">writing new private key to 'mykey.pem'<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN">-----<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN">You are about to be asked to enter information that will be incorporated<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN">into your certificate request.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN">What you are about to enter is what is called a Distinguished Name or a DN.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN">There are quite a few fields but you can leave some blank<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN">For some fields there will be a default value,<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN">If you enter '.', the field will be left blank.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN">-----<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN">Country Name (2 letter code) [AU]:US<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN">State or Province Name (full name) [Some-State]:MA<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN">Locality Name (eg, city) []:Andover<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN">Organization Name (eg, company) [Internet Widgits Pty Ltd]:Enterasys.com<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN">Organizational Unit Name (eg, section) []:SQA<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN">Common Name (eg, YOUR name) []:Scott<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN">Email Address []:SQA@enterasys.com<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN">Please enter the following 'extra' attributes<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN">to be sent with your certificate request<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN">enterasys []:enterasys<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN">An optional company name []:Enterasys<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN">root@FreeRadius:/etc/freeradius/certs#
<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN">root@FreeRadius:/etc/freeradius/certs# openssl pkcs12 -in "SQA 2008 System Certificate.p12" -out ca.pem<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN">Enter Import Password:<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN">MAC verified OK<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN">Enter PEM pass phrase:<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN">Verifying - Enter PEM pass phrase:<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN">root@FreeRadius:/etc/freeradius/certs# openssl ca -policy policy_anything -out certificate.pem -passin pass:enterasys -key enterasys -extensions xpserver_ext -extfile xpextensions -infiles server.csr<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN">Using configuration from /usr/lib/ssl/openssl.cnf<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN">CA certificate and CA private key do not match<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN">3074058392:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:318:<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN">root@FreeRadius:/etc/freeradius/certs#
<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">OpenSSL.cnf file:<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New""># OpenSSL example configuration file.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New""># This is mostly being used for generation of certificate requests.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New"">#<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New""># This definition stops the following lines choking if HOME isn't<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New""># defined.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New"">HOME = .<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New"">RANDFILE = $ENV::HOME/.rnd<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New""># Extra OBJECT IDENTIFIER info:<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New"">#oid_file = $ENV::HOME/.oid<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New"">oid_section = new_oids<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New""># To use this configuration file with the "-extfile" option of the<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New""># "openssl x509" utility, name here the section containing the<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New""># X.509v3 extensions to use:<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New""># extensions =
<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New""># (Alternatively, use a configuration file that has only<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New""># X.509v3 extensions in its main [= default] section.)<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New"">[ new_oids ]<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New""># We can add new OIDs in here for use by 'ca', 'req' and 'ts'.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New""># Add a simple OID like this:<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New""># testoid1=1.2.3.4<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New""># Or use config file substitution like this:<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New""># testoid2=${testoid1}.5.6<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New""># Policies used by the TSA examples.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New"">tsa_policy1 = 1.2.3.4.1<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New"">tsa_policy2 = 1.2.3.4.5.6<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New"">tsa_policy3 = 1.2.3.4.5.7<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New"">####################################################################<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New"">[ ca ]<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New"">default_ca = CA_default # The default ca section<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New"">####################################################################<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New"">[ CA_default ]<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New"">dir = /etc/freeradius # Where everything is kept<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New"">certs = $dir/certs # Where the issued certs are kept<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New"">crl_dir = $dir/crl # Where the issued crl are keptcd ..<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New"">database = $dir/index.txt # database index file.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New"">#unique_subject = no # Set to 'no' to allow creation of<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New""> # several ctificates with same subject.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New"">new_certs_dir = $dir/certs # default place for new certs.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New"">certificate = $certs/ca.pem # The CA certificate<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New"">serial = $dir/serial # The current serial number<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New"">crlnumber = $dir/crlnumber # the current crl number<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New""> # must be commented out to leave a V1 CRL<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New"">crl = $dir/crl.pem # The current CRL<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New"">private_key = $certs/mykey.pem # The private key<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New"">RANDFILE = $certs/random # private random number file<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New"">x509_extensions = usr_cert # The extentions to add to the cert<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Directions I am Using:<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">The second way of doing this, which is not very neat, is as follows:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">>From the computer where your freeradius is, you generate a request and a private key by:
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""> shell:~ # openssl req -new -nodes -keyout mykey.pem -out server.csr<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">The challenge password is important because it'll be used in the freeradius configuration<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">The file mykey.pem is the private key. Copy this file to /usr/local/etc/raddb/certs<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""> <o:p>
</o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""> shell:~ # cp mykey.pem /usr/local/etc/raddb/certs<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">Then, from the computer where your CA authority is, open a Command prompt window and type:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""> C:\>certutil -backup directory<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">It will prompt you for the password for your private key and will generate a backup of your CA private and public key inside the directory "directory". Let's say that your password
is "password".<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">Then, go to "directory"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""> C:\>cd directory<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">And copy the file "Certification Authority.p12" to the computer where your FreeRadius is. This file contains both your CA's private and public keys. Then, from your freeradius computer,
you need to convert this file to a format more "manageable".<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""> shell:~ # openssl pkcs12 -in "Certification Authority.p12" -out ca.pem<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">Then, you need to modify your /etc/ssl/openssl.cnf file. Locate the section [ CA_default ] and modify the lines certificate and private_key, so they point to the file you generated
in the last step. Those lines should look like:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">certificate = /root/ca.pem<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">private_key = /root/ca.pem<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">Once you have finished doing these changes, then create a file called xpextensions with the following contents:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">[ xpserver_ext ]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">extendedKeyUsage = 1.3.6.1.5.5.7.3.1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">This is required to add the extension needed for your certificate. Then<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""> shell:~ # openssl ca -policy policy_anything -out certificate.pem -passin pass:password -key password -extensions xpserver_ext -extfile xpextensions -infiles server.csr<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">Delete the file server.csr<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""> shell:~ # rm server.csr<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">And copy the files ca.pem and certificate.pem to /usr/local/etc/raddb/certs<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""> shell:~ # cp ca.pem certificate.pem /usr/local/etc/raddb/certs<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">It is preferable to delete all info about the private key from the file ca.pem, but it is up to you.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">Now edit your eap.conf file and you are done. A sample eap.conf is at the end of this guide.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">Configure your clients to use PEAP, check the checkbox "Validate server certificate" and select your Trusted Root Certification Authority from the list.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">SAMPLE EAP.CONF<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">eap {<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""> default_eap_type = peap<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""> timer_expire = 60<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""> ignore_unknown_eap_types = no<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""> cisco_accounting_username_bug = no<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""> tls {<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""> private_key_password = #The challenge password you have chosen when you generated your private key<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""> private_key_file = ${raddbdir}/certs/mykey.pem<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""> certificate_file = ${raddbdir}/certs/certificate.pem<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""> CA_file = ${raddbdir}/certs/ca.pem<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""> dh_file = ${raddbdir}/certs/dh<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""> random_file = /dev/urandom<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""> fragment_size = 1024<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""> include_length = yes<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""> }<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""> peap {<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""> default_eap_type = mschapv2<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""> }<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""> mschapv2 {<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""> }<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""> }<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>