certificate client.* non valid on windows XP
hi, I use freeradius 2.0.5 and openSUSE 10.3 i ran "bootstrap" script + "make client.pem", "make.client.p12", - I imported "ca.der" on my xp laptop, located at the CA Authorithy containeer. I imported server.p12 too (just to verify the signature) and everything is Ok - But when i import client.p12, windows says me this certificated is not valid! and i dont know why. I executed two commands: server.vrfy and client.vrfy, hoping their output (below) could help. Thank you for helping ------------------------------------------------------------------------------------------------- linux:/etc/raddb/certs # make server.vrfy openssl verify -CAfile ca.pem server.pem server.pem: OK make client.vrfy openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` MAC verified OK openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` openssl pkcs12 -in client.p12 -out client.pem -passin pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` MAC verified OK cp client.pem `grep emailAddress client.cnf | grep '@' | sed 's/.*=//;s/^ *//'`.pem c_rehash . Doing . 02.pem => eee97f35.0 WARNING: Skipping duplicate certificate user@example.com.pem client.pem => 583a9f4b.0 01.pem => dcd1729a.0 WARNING: Skipping duplicate certificate user2@example.com.pem server.pem => dcd1729a.1 WARNING: Skipping duplicate certificate 03.pem WARNING: Skipping duplicate certificate 04.pem ca.pem => 23537b55.0 openssl verify -CApath . client.pem client.pem: OK _____________________________________________________________________________ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr
Reveal MAP escribió:
hi,
I use freeradius 2.0.5 and openSUSE 10.3
i ran "bootstrap" script + "make client.pem", "make.client.p12", - I imported "ca.der" on my xp laptop, located at the CA Authorithy containeer. I imported server.p12 too (just to verify the signature) and everything is Ok - But when i import client.p12, windows says me this certificated is not valid! and i dont know why.
I executed two commands: server.vrfy and client.vrfy, hoping their output (below) could help.
Thank you for helping ------------------------------------------------------------------------------------------------- linux:/etc/raddb/certs # make server.vrfy openssl verify -CAfile ca.pem server.pem server.pem: OK
make client.vrfy openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` MAC verified OK openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` openssl pkcs12 -in client.p12 -out client.pem -passin pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` MAC verified OK cp client.pem `grep emailAddress client.cnf | grep '@' | sed 's/.*=//;s/^ *//'`.pem c_rehash . Doing . 02.pem => eee97f35.0 WARNING: Skipping duplicate certificate user@example.com.pem client.pem => 583a9f4b.0 01.pem => dcd1729a.0 WARNING: Skipping duplicate certificate user2@example.com.pem server.pem => dcd1729a.1 WARNING: Skipping duplicate certificate 03.pem WARNING: Skipping duplicate certificate 04.pem ca.pem => 23537b55.0 openssl verify -CApath . client.pem client.pem: OK
------------------------------------------------------------------------ Envoyé avec Yahoo! Mail <http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html>. Une boite mail plus intelligente.
__________ Informaci�n de NOD32, revisi�n 3263 (20080711) __________
Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com ------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________ Información de NOD32, revisión 3263 (20080711) __________
Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com
I had the same problem. The fact is that server is an intermediate authotity and, using internet explorer, you need to install server.p12 into intermediate trusted ca containeer. Also check validity period (begining date). I had to change windows date to next day, but I don't remember why. Finally I made my own ca because default radius PKI was confusing me, and I used mi ca private key to sign client.* I hope that this help you.
participants (2)
-
Reveal MAP -
Sergio