RE: Freeradius-Users Digest, Vol 82, Issue 33
Alan, I already have certificates created on my 2008 Server so I want to use those certificates on my Ubuntu Server without creating new ones. You mentioned my openssl configuration is wrong. Any suggestions on how I can fix the openssl configuration? Thanks Scott Message: 1 Date: Sun, 12 Feb 2012 10:26:44 +0100 From: Alan DeKok <aland@deployingradius.com> Subject: Re: Cetificates to Use with Ubuntu Server To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <4F3785D4.3020103@deployingradius.com> Content-Type: text/plain; charset=ISO-8859-1 Gilmour, Scott wrote:
I have Ubuntu Server installed and I have a Windows 2008 Server Certificate Authority
When I type the openssl command I keep on getting this error: CA certificate and CA private key do not match
Your OpenSSL configuration is wrong.
Ps. I was able to get Samba to work after loading the lates server Ubuntu 11.10. Thanks for everyones help.
That's good to hear.
root@FreeRadius:/etc/freeradius/certs# openssl ca -policy policy_anything -out certificate.pem -passin pass:enterasys -key enterasys -extensions xpserver_ext -extfile xpextensions -infiles server.csr
Don't do that. There's a lot of magic in OpenSSL. Instead, see raddb/certs/README. The process for creating certificates is automated, documented, and it *works*. Alan DeKok.
Please respond to the original email, not a digest, and use a good subject line. It helps other people track the conversation. Gilmour, Scott wrote:
Alan, I already have certificates created on my 2008 Server so I want to use those certificates on my Ubuntu Server without creating new ones.
That's fine.
You mentioned my openssl configuration is wrong. Any suggestions on how I can fix the openssl configuration?
The file raddb/certs/Makefile creates good certificates. The *cnf files in the same directory create good certificates. I don't know what you're doing different, and it isn't really useful to look. Grab the certificate creation commands from the Makefile, and use those. Modify them to point to your files. It *will* work. There's a lot of magic in creating good certs. That magic is embedded in the existing Makefile and config files. Use them, they will make your life easier. Alan DeKok.
Am 13.02.2012 10:32, schrieb Alan DeKok:
Please respond to the original email, not a digest, and use a good subject line. It helps other people track the conversation.
Gilmour, Scott wrote:
Alan, I already have certificates created on my 2008 Server so I want to use those certificates on my Ubuntu Server without creating new ones.
That's fine.
If you use a MS CA please be aware that by default 2k8 CAs create certificates signed with SHA-256bit - many systems (including XP and Win 2003 without a patch) are NOT able to deal with those certificates, as they only support SHA1. Once the CA has been setup, there is no easy way to change this. Also, usually MS CAs include some mandatory extensions in their CRLs which OpenSSL can not read as well. You need to remove these extensions in the CRL configuration.
You mentioned my openssl configuration is wrong. Any suggestions on how I can fix the openssl configuration?
The file raddb/certs/Makefile creates good certificates. The *cnf files in the same directory create good certificates. I don't know what you're doing different, and it isn't really useful to look.
Grab the certificate creation commands from the Makefile, and use those. Modify them to point to your files. It *will* work.
There's a lot of magic in creating good certs. That magic is embedded in the existing Makefile and config files. Use them, they will make your life easier.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Mit freundlichen Grüßen / with kind regards Rudolph Bott
participants (3)
-
Alan DeKok -
Gilmour, Scott -
Rudolph Bott