On Oct 30, 2020, at 1:47 PM, murugesh pitchaiah <murugesh.pitchaiah@gmail.com> wrote:
I generated key and certificate using the openssl.cnf and below steps:
FreeRADIUS comes with certificate creation scripts in raddb/certs. The certificates created with those scripts *work*.
openssl genrsa -aes256 -out key.pem openssl req -config openssl.cnf -key key.pem new -sha256 -out csr.pem openssl ca -config openssl.cnf -extensions usr_cert -days 375 -notext -md sha256 -in csr.pem -out cert.pem
We don't know what's in the "openssl.cnf" file you're using. We suggest just using the scripts that are included with FreeRADIUS.
This generation is done in a linux box with openssl 1.0.2.
While verifying with openssl 1.1.0 (also using 1.0.2) using below steps - in the ubuntu where freeradius is running - it shows OK.
openssl verify -CAfile cacert.pem cert.pem cert.pem: OK
That's good.
But only freeradius is throwing the error on purpose.
Again... it's *openssl* which is giving the error to FreeRADIUS. The server is just reporting it.
Still i generated a new client certificate without the 'digital signature' key usage.
OpenSSL doesn't like one of the other extensions. Which one? I don't know... OpenSSL won't tell us. Use the scripts included with FreeRADIUS. If you need extra OIDs, create certs *without* them, and test. If that works (and it will), then add OIDs one by one, until it doesn't work. That's the OID which is failing. Why? OpenSSL won't tell us. Alan DeKok.