Message: 7 Date: Mon, 9 Oct 2006 11:26:51 -0400 From: "Brian vb" <nova5radius@gmail.com> Subject: RE: EAP-TLS Certificate problems. To: "'FreeRadius users mailing list'" <freeradius-users@lists.freeradius.org> Message-ID: <000f01c6ebb7$59118220$be01010a@lightwave> Content-Type: text/plain; charset="us-ascii"
Recreated certs, same issue came with the Issuer field. XPExtensions are used. Password is the same in this file an what Freeradius has just changed to protect it.
Here is the batch file I'm using to create the certs. I don't see anything amiss between it and the page you sent.. any ideas?
PATH=C:\openssl\bin;C:\ssl1;%path% export LD_LIBRARY_PATH=C:\openssl\lib
CD\SSL1
REM CA Creation C:\openssl\bin\openssl req -new -x509 -keyout newreq.pem -out newreq.pem -days 730 -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved
C:\openssl\bin\openssl pkcs12 -export -in newreq.pem -out root.p12 -cacerts -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved
C:\openssl\bin\openssl pkcs12 -in root.p12 -out root.pem -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved
C:\openssl\bin\openssl x509 -inform PEM -outform DER -in root.pem -out root.der
I'm not sure what you're doing here. First, "> C:\openssl\bin\openssl req -new -x509 -keyout newreq.pem -out newreq.pem
-days 730 -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved"
You're outputting the private key and public key to the same file. I'm not sure if this will include both in the same file, or only create one. Regardless, it's not what you want to do. Give the files unique names. The clients and server need the public key and only the certificate signing machine needs the private key. You don't want to combine the keys. To create a CA: openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 365 -config openssl.cnf Also, why are you creating a p12 file for the CA? You certainly don't want to hand out the private key to clients, and for certificate signing, you only need the private key which can be stored in cakey.pem for example. Clients should be given cacert.pem or cacert.der depending on the format you use. The p12 format should only be used for client certs because those need to combine private key + certificate (at least for the MS supplicant).
REM Client cert Create C:\openssl\bin\openssl req -new -keyout newreq.pem -out newreq.pem -days 730 -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved
Again, -keyout is used to creaate the private key, and -out to create the certificate signing request which is then passed on to the CA later. You're using the same filename, so I have no idea what's happening. Either you have a certificate signing request and no key, or a key without a signing request. Either way, it won't work. You need to do something like this: openssl req -new -keyout client_key.pem \ -out client_req.pem -days 730 -config ./openssl.cnf Notice that the key and the signing request are given different names.
C:\openssl\bin\openssl ca -policy policy_anything -out newcert.pem -passin pass:PassCodeRemoved -key PassCodeRemoved -extensions xpclient_ext -extfile xpexts -infiles newreq.pem
C:\openssl\bin\openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out cert-clt.p12 -clcerts -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved
C:\openssl\bin\openssl pkcs12 -in cert-clt.p12 -out cert-clt.pem -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved
C:\openssl\bin\openssl x509 -inform PEM -outform DER -in cert-clt.pem -out cert-clt.der
So, you convert from a PEM certificate and PEM key, to a P12 cert+key, to a PEM cert+key to DER cert+key. Why? The P12 cert+key will work fine.
REM Server Cert Create C:\openssl\bin\openssl req -new -keyout newreq.pem -out newreq.pem -days 730 -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved
Again, the key and certificate signing request must be given different names or else your setup will fail.
C:\openssl\bin\openssl ca -policy policy_anything -out newcert.pem -passin pass:PassCodeRemoved -key PassCodeRemoved -extensions xpserver_ext -extfile xpexts -infiles newreq.pem
Do you need these steps? Freeradius will use a seperate certificate and key in PEM format. It works fine for me. It seems like your setup is overly complex. Keep it simple, and see if it works. Then you can change file formats- etc. For now, just make the changes I recommended and see if it gives you a working CA and client/server certificates.
C:\openssl\bin\openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out cert-srv.p12 -clcerts -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved
C:\openssl\bin\openssl pkcs12 -in cert-srv.p12 -out cert-srv.pem -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved
C:\openssl\bin\openssl x509 -inform PEM -outform DER -in cert-srv.pem -out cert-srv.der
Jason Wittlin-Cohen