Question about certs and Microsoft
In the beginning of the cert documentation, it says: The Microsoft "XP Extensions" will be automatically included in the server certificate. Without those extensions Windows clients will refuse to authenticate to FreeRADIUS. But I use a certificate authority, so later on in the documentation, it says: If you have an existing certificate authority, and wish to create a certificate signing request for the server certificate, edit server.cnf as above, and type the following command. $ make server.csr You will have to ensure that the certificate contains the XP extensions needed by Microsoft clients. How do I go about ensuring this? Do I have to request them to be added from the CA?
Scott McLane Gardner wrote:
But I use a certificate authority, so later on in the documentation, it says:
If you have an existing certificate authority, and wish to create a certificate signing request for the server certificate, edit server.cnf as above, and type the following command.
$ make server.csr
You will have to ensure that the certificate contains the XP extensions needed by Microsoft clients.
The default configuration includes the XP extensions.
How do I go about ensuring this? Do I have to request them to be added from the CA?
The default configuration does this. You shouldn't need to do anything. Alan DeKok.
Okay, I followed the instructions in the certs README, created the CSR and got a certificate from GeoTrust. When I install it and try to start the server, I get the following error messages: rlm_eap: SSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt rlm_eap_tls: Error reading private key file /etc/freeradius/certs/server.key rlm_eap: Failed to initialize type tls I checked the permissions of the server.key file and it is the same as all the other stuff in that directory. Can anyone tell me what this error means?
Just to get the server running, I tried moving all the things out of that directory, then doing the ./bootstrap thing and it still gives that error when trying to start the server. -Scott On 3/14/12 3:44 PM, "Scott McLane Gardner" <sgardne@uark.edu> wrote:
Okay, I followed the instructions in the certs README, created the CSR and got a certificate from GeoTrust. When I install it and try to start the server, I get the following error messages:
rlm_eap: SSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt rlm_eap_tls: Error reading private key file /etc/freeradius/certs/server.key rlm_eap: Failed to initialize type tls
I checked the permissions of the server.key file and it is the same as all the other stuff in that directory. Can anyone tell me what this error means?
Scott McLane Gardner wrote:
Okay, I followed the instructions in the certs README, created the CSR and got a certificate from GeoTrust. When I install it and try to start the server, I get the following error messages:
rlm_eap: SSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt rlm_eap_tls: Error reading private key file
The password to the key file is wrong. Alan DeKok.
On 3/14/12 4:05 PM, "Alan DeKok" <aland@deployingradius.com> wrote:
Scott McLane Gardner wrote:
Okay, I followed the instructions in the certs README, created the CSR and got a certificate from GeoTrust. When I install it and try to start the server, I get the following error messages:
rlm_eap: SSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt rlm_eap_tls: Error reading private key file
The password to the key file is wrong.
Alan DeKok.
Doesn't it just use server.cnf to set the password for the key and the CSR?
Scott McLane Gardner wrote:
Doesn't it just use server.cnf to set the password for the key and the CSR?
To *make* the certificates, yes. For EAP, you need to configure the passwords in eap.conf. This is documented. server.cnf is an OpenSSL configuration file. FreeRADIUS doesn't read OpenSSL configuration files. Alan DeKok.
Hi,
Doesn't it just use server.cnf to set the password for the key and the CSR?
server.cnf is for openSSL - applications such as FreeRADIUS and Apache have their own configuration files for private certificate keys etc - eap.conf in your case alan
participants (3)
-
Alan Buxey -
Alan DeKok -
Scott McLane Gardner