Hi,

I have Ubuntu Server installed and I have a Windows 2008 Server Certificate Authority

When I type the openssl command I keep on getting this errorCA certificate and CA private key do not match

  Any help or suggestions would be appreciated.

Thanks

Scott

 

Ps.  I was able to get Samba to work after loading the lates server Ubuntu 11.10.  Thanks for everyones help.

 

root@FreeRadius:/etc/freeradius/certs# openssl ca -policy policy_anything -out certificate.pem -passin pass:enterasys -key enterasys -extensions xpserver_ext -extfile xpextensions -infiles server.csr

Using configuration from /usr/lib/ssl/openssl.cnf

CA certificate and CA private key do not match

3074058392:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:318:

root@FreeRadius:/etc/freeradius/certs#

 

root@FreeRadius:/etc/freeradius/certs# openssl req -new -nodes -keyout mykey.pem -out server.csrGenerating a 1024 bit RSA private key

.......++++++

........++++++

writing new private key to 'mykey.pem'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:US

State or Province Name (full name) [Some-State]:MA

Locality Name (eg, city) []:Andover

Organization Name (eg, company) [Internet Widgits Pty Ltd]:Enterasys.com

Organizational Unit Name (eg, section) []:SQA

Common Name (eg, YOUR name) []:Scott

Email Address []:SQA@enterasys.com

 

Please enter the following 'extra' attributes

to be sent with your certificate request

enterasys []:enterasys

An optional company name []:Enterasys

root@FreeRadius:/etc/freeradius/certs#

root@FreeRadius:/etc/freeradius/certs# openssl pkcs12 -in "SQA 2008 System Certificate.p12" -out ca.pem

Enter Import Password:

MAC verified OK

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

root@FreeRadius:/etc/freeradius/certs# openssl ca -policy policy_anything -out certificate.pem -passin pass:enterasys -key enterasys -extensions xpserver_ext -extfile xpextensions -infiles server.csr

Using configuration from /usr/lib/ssl/openssl.cnf

CA certificate and CA private key do not match

3074058392:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:318:

root@FreeRadius:/etc/freeradius/certs#

 

OpenSSL.cnf file:

# OpenSSL example configuration file.

# This is mostly being used for generation of certificate requests.

#

 

# This definition stops the following lines choking if HOME isn't

# defined.

HOME                 = .

RANDFILE             = $ENV::HOME/.rnd

 

# Extra OBJECT IDENTIFIER info:

#oid_file            = $ENV::HOME/.oid

oid_section          = new_oids

 

# To use this configuration file with the "-extfile" option of the

# "openssl x509" utility, name here the section containing the

# X.509v3 extensions to use:

# extensions         =

# (Alternatively, use a configuration file that has only

# X.509v3 extensions in its main [= default] section.)

 

[ new_oids ]

 

# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.

# Add a simple OID like this:

# testoid1=1.2.3.4

# Or use config file substitution like this:

# testoid2=${testoid1}.5.6

 

# Policies used by the TSA examples.

tsa_policy1 = 1.2.3.4.1

tsa_policy2 = 1.2.3.4.5.6

tsa_policy3 = 1.2.3.4.5.7

 

####################################################################

[ ca ]

default_ca    = CA_default         # The default ca section

 

####################################################################

[ CA_default ]

 

dir           = /etc/freeradius           # Where everything is kept

certs         = $dir/certs         # Where the issued certs are kept

crl_dir       = $dir/crl           # Where the issued crl are keptcd ..

 

database      = $dir/index.txt     # database index file.

#unique_subject      = no                 # Set to 'no' to allow creation of

                                   # several ctificates with same subject.

new_certs_dir = $dir/certs         # default place for new certs.

 

certificate   = $certs/ca.pem      # The CA certificate

serial        = $dir/serial               # The current serial number

crlnumber     = $dir/crlnumber     # the current crl number

                                   # must be commented out to leave a V1 CRL

crl           = $dir/crl.pem              # The current CRL

private_key   = $certs/mykey.pem          # The private key

RANDFILE      = $certs/random      # private random number file

 

x509_extensions      = usr_cert           # The extentions to add to the cert

 

 

 

 

Directions I am Using:

The second way of doing this, which is not very neat, is as follows:

 

 

>From the computer where your freeradius is, you generate a request and a private key by:

 

   shell:~ # openssl req -new -nodes -keyout mykey.pem -out server.csr

 

The challenge password is important because it'll be used in the freeradius configuration

The file mykey.pem is the private key. Copy this file to /usr/local/etc/raddb/certs

  

   shell:~ # cp mykey.pem /usr/local/etc/raddb/certs

 

Then, from the computer where your CA authority is, open a Command prompt window and type:

 

   C:\>certutil -backup directory

 

It will prompt you for the password for your private key and will generate a backup of your CA private and public key inside the directory "directory". Let's say that your password is "password".

Then, go to "directory"

 

   C:\>cd directory

   

And copy the file "Certification Authority.p12" to the computer where your FreeRadius is. This file contains both your CA's private and public keys. Then, from your freeradius computer, you need to convert this file to a format more "manageable".

 

   shell:~ # openssl pkcs12 -in "Certification Authority.p12" -out ca.pem

 

Then, you need to modify your /etc/ssl/openssl.cnf file. Locate the section [ CA_default ] and modify the lines certificate and private_key, so they point to the file you generated in the last step. Those lines should look like:

 

certificate    = /root/ca.pem

private_key    = /root/ca.pem

 

Once you have finished doing these changes, then create a file called xpextensions with the following contents:

 

[ xpserver_ext ]

extendedKeyUsage = 1.3.6.1.5.5.7.3.1

 

This is required to add the extension needed for your certificate. Then

 

   shell:~ # openssl ca -policy policy_anything -out certificate.pem -passin pass:password -key password -extensions xpserver_ext -extfile xpextensions -infiles server.csr

 

Delete the file server.csr

 

   shell:~ # rm server.csr

 

And copy the files ca.pem and certificate.pem to /usr/local/etc/raddb/certs

 

   shell:~ # cp ca.pem certificate.pem /usr/local/etc/raddb/certs

 

It is preferable to delete all info about the private key from the file ca.pem, but it is up to you.

Now edit your eap.conf file and you are done. A sample eap.conf is at the end of this guide.

Configure your clients to use PEAP, check the checkbox "Validate server certificate" and select your Trusted Root Certification Authority from the list.

 

SAMPLE EAP.CONF

eap {

                default_eap_type = peap

                timer_expire     = 60

                ignore_unknown_eap_types = no

                cisco_accounting_username_bug = no

 

                tls {

                        private_key_password = #The challenge password you have chosen when you generated your private key

                        private_key_file = ${raddbdir}/certs/mykey.pem

                        certificate_file = ${raddbdir}/certs/certificate.pem

                        CA_file = ${raddbdir}/certs/ca.pem

                        dh_file = ${raddbdir}/certs/dh

                        random_file = /dev/urandom

                        fragment_size = 1024

                        include_length = yes

                }

                peap {

                        default_eap_type = mschapv2

                }

                mschapv2 {

                }

        }