OK. Had some time to look at your certificates. You have created a server certificate but not the (signed) root one. Instead you used and exported cacert. Also your server cert and private keys are separate while in your tls config you configured them as a same file. Have a look at CA.all script that comes with the freeradius distribution (or better use it) to see how it should be done. It places the key in the same file as the certificate. Ivan Kalik Kalik Informatika ISP
2007/10/2, Ivan Kalik <tnt@kalik.co.yu>:
OK. Had some time to look at your certificates. You have created a server certificate but not the (signed) root one. Instead you used and exported cacert. Also your server cert and private keys are separate while in your tls config you configured them as a same file. Have a look at CA.all script that comes with the freeradius distribution (or better use it) to see how it should be done. It places the key in the same file as the certificate.
Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Ivan thanks for your time. I've deleted those files and recreated with certs.sh and CA.all. Now I have signed certificates in der, p12 and pem formats. What of these ones should I use in eap.conf. I don't understand something, root one is not "cacert.*" ? -- -- Sergio Belkin -
2007/10/2, Sergio Belkin <sebelk@gmail.com>:
2007/10/2, Ivan Kalik <tnt@kalik.co.yu>:
OK. Had some time to look at your certificates. You have created a server certificate but not the (signed) root one. Instead you used and exported cacert. Also your server cert and private keys are separate while in your tls config you configured them as a same file. Have a look at CA.all script that comes with the freeradius distribution (or better use it) to see how it should be done. It places the key in the same file as the certificate.
Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Ivan thanks for your time. I've deleted those files and recreated with certs.sh and CA.all. Now I have signed certificates in der, p12 and pem formats. What of these ones should I use in eap.conf. I don't understand something, root one is not "cacert.*" ? -- -- Sergio Belkin -
And I don't know why but I only get client and server certificates but not root certificate using CA.all -- -- Sergio Belkin -
Freeradius version? In new ones you should have all of them created as you install the server. Ivan Kalik Kalik Informatika ISP Dana 2/10/2007, "Sergio Belkin" <sebelk@gmail.com> piše:
2007/10/2, Sergio Belkin <sebelk@gmail.com>:
2007/10/2, Ivan Kalik <tnt@kalik.co.yu>:
OK. Had some time to look at your certificates. You have created a server certificate but not the (signed) root one. Instead you used and exported cacert. Also your server cert and private keys are separate while in your tls config you configured them as a same file. Have a look at CA.all script that comes with the freeradius distribution (or better use it) to see how it should be done. It places the key in the same file as the certificate.
Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Ivan thanks for your time. I've deleted those files and recreated with certs.sh and CA.all. Now I have signed certificates in der, p12 and pem formats. What of these ones should I use in eap.conf. I don't understand something, root one is not "cacert.*" ? -- -- Sergio Belkin -
And I don't know why but I only get client and server certificates but not root certificate using CA.all -- -- Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2007/10/2, tnt@kalik.co.yu <tnt@kalik.co.yu>:
Freeradius version? In new ones you should have all of them created as you install the server.
Ivan Kalik Kalik Informatika ISP
I'm using freeradius-1.1.7. If I use certificates that come as demo, the problem is that is valid to 24/01/2006.
Dana 2/10/2007, "Sergio Belkin" <sebelk@gmail.com> piše:
2007/10/2, Sergio Belkin <sebelk@gmail.com>:
2007/10/2, Ivan Kalik <tnt@kalik.co.yu>:
OK. Had some time to look at your certificates. You have created a server certificate but not the (signed) root one. Instead you used and exported cacert. Also your server cert and private keys are separate while in your tls config you configured them as a same file. Have a look at CA.all script that comes with the freeradius distribution (or better use it) to see how it should be done. It places the key in the same file as the certificate.
Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Ivan thanks for your time. I've deleted those files and recreated with certs.sh and CA.all. Now I have signed certificates in der, p12 and pem formats. What of these ones should I use in eap.conf. I don't understand something, root one is not "cacert.*" ? -- -- Sergio Belkin -
And I don't know why but I only get client and server certificates but not root certificate using CA.all -- -- Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- -- Sergio Belkin -
Sergio Belkin wrote:
I'm using freeradius-1.1.7. If I use certificates that come as demo, the problem is that is valid to 24/01/2006.
Install 2.0.0-pre2 somewhere. Start it as root, in debugging mode. Look in raddb/certs. There will be certs available. To customize them, edit ca.cnf and server.cnf. Then run the "bootstrap" program in that directory. Alan DeKok.
2007/10/3, Alan DeKok <aland@deployingradius.com>:
Sergio Belkin wrote:
I'm using freeradius-1.1.7. If I use certificates that come as demo, the problem is that is valid to 24/01/2006.
Install 2.0.0-pre2 somewhere. Start it as root, in debugging mode. Look in raddb/certs. There will be certs available.
To customize them, edit ca.cnf and server.cnf. Then run the "bootstrap" program in that directory.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is 2.0.0-pre2 reliable for production usage? -- -- Sergio Belkin -
Use default values: private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem Root contains the key as well. You export root.der to XP clients. Ivan Kalik Kalik Informatika ISP Dana 2/10/2007, "Sergio Belkin" <sebelk@gmail.com> piše:
2007/10/2, Ivan Kalik <tnt@kalik.co.yu>:
OK. Had some time to look at your certificates. You have created a server certificate but not the (signed) root one. Instead you used and exported cacert. Also your server cert and private keys are separate while in your tls config you configured them as a same file. Have a look at CA.all script that comes with the freeradius distribution (or better use it) to see how it should be done. It places the key in the same file as the certificate.
Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Ivan thanks for your time. I've deleted those files and recreated with certs.sh and CA.all. Now I have signed certificates in der, p12 and pem formats. What of these ones should I use in eap.conf. I don't understand something, root one is not "cacert.*" ? -- -- Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
Alan DeKok -
Ivan Kalik -
Sergio Belkin -
tnt@kalik.co.yu