freeradius-2.1.1-2 (rebuild SRPM from Fedora on CentOS 5) followed instructions in certs/README perfectly - so I believe. server certs seem fine but generated client cert in Windows shows "Windows does not have enough information to verify" and yes, I have loaded the 'ca.der' file generated by the instructions on the Windows client and that installs in 'Trusted Root Authorities'. The 'client' cert seems to install in 'Other People', and does include the XPextensions stuff. So I'm trying to verify the client certificate... # openssl verify -CAfile ca.pem spare\@myorg.com.pem spare@myorg.com.pem: /C=US/ST=Arizona/O=MyOrg/CN=spare@myorg.com/emailAddress=spare@myorg.com error 20 at 0 depth lookup:unable to get local issuer certificate so I figured I would try to verify it against the server file... # openssl verify -CAfile server.pem spare\@myorg.com.pem spare@myorg.com.pem: /C=US/ST=Arizona/O=MyOrg/CN=Radius Server Certificate/emailAddress=craig@myorg.com error 2 at 1 depth lookup:unable to get issuer certificate but indeed the server file verifies... # openssl verify -CAfile ca.pem server.crt server.crt: OK # openssl verify -CAfile ca.pem server.pem server.pem: OK This would seem pretty simple (the directions make it seem simple) edited client.cnf changed input/output password values to the same, simple value changed the e-mail address and cn to the same value as shown above What am I doing wrong? Craig
freeradius-2.1.1-2 (rebuild SRPM from Fedora on CentOS 5)
followed instructions in certs/README perfectly - so I believe.
server certs seem fine but generated client cert in Windows shows "Windows does not have enough information to verify" and yes, I have loaded the 'ca.der' file generated by the instructions on the Windows client and that installs in 'Trusted Root Authorities'. The 'client' cert seems to install in 'Other People', and does include the XPextensions stuff.
So I'm trying to verify the client certificate...
# openssl verify -CAfile ca.pem spare\@myorg.com.pem spare@myorg.com.pem: /C=US/ST=Arizona/O=MyOrg/CN=spare@myorg.com/emailAddress=spare@myorg.com error 20 at 0 depth lookup:unable to get local issuer certificate
so I figured I would try to verify it against the server file... # openssl verify -CAfile server.pem spare\@myorg.com.pem spare@myorg.com.pem: /C=US/ST=Arizona/O=MyOrg/CN=Radius Server Certificate/emailAddress=craig@myorg.com error 2 at 1 depth lookup:unable to get issuer certificate
but indeed the server file verifies...
# openssl verify -CAfile ca.pem server.crt server.crt: OK
# openssl verify -CAfile ca.pem server.pem server.pem: OK
This would seem pretty simple (the directions make it seem simple) edited client.cnf changed input/output password values to the same, simple value changed the e-mail address and cn to the same value as shown above
What am I doing wrong?
Try attached Makefile. It has been altered so client certificates are signed by the ca and not server certificate. I was unable to "persuade" up-to-date Windows PCs to accept server certificate as an Intermediate CA. Changing the issuer resolved the problem. Ivan Kalik Kalik Informatika ISP
On Thu, 2008-12-11 at 01:13 +0100, tnt@kalik.net wrote:
freeradius-2.1.1-2 (rebuild SRPM from Fedora on CentOS 5)
followed instructions in certs/README perfectly - so I believe.
server certs seem fine but generated client cert in Windows shows "Windows does not have enough information to verify" and yes, I have loaded the 'ca.der' file generated by the instructions on the Windows client and that installs in 'Trusted Root Authorities'. The 'client' cert seems to install in 'Other People', and does include the XPextensions stuff.
So I'm trying to verify the client certificate...
# openssl verify -CAfile ca.pem spare\@myorg.com.pem spare@myorg.com.pem: /C=US/ST=Arizona/O=MyOrg/CN=spare@myorg.com/emailAddress=spare@myorg.com error 20 at 0 depth lookup:unable to get local issuer certificate
so I figured I would try to verify it against the server file... # openssl verify -CAfile server.pem spare\@myorg.com.pem spare@myorg.com.pem: /C=US/ST=Arizona/O=MyOrg/CN=Radius Server Certificate/emailAddress=craig@myorg.com error 2 at 1 depth lookup:unable to get issuer certificate
but indeed the server file verifies...
# openssl verify -CAfile ca.pem server.crt server.crt: OK
# openssl verify -CAfile ca.pem server.pem server.pem: OK
This would seem pretty simple (the directions make it seem simple) edited client.cnf changed input/output password values to the same, simple value changed the e-mail address and cn to the same value as shown above
What am I doing wrong?
Try attached Makefile. It has been altered so client certificates are signed by the ca and not server certificate. I was unable to "persuade" up-to-date Windows PCs to accept server certificate as an Intermediate CA. Changing the issuer resolved the problem.
OK - question... I only re-generated the 'client' certificate but in doing a diff, it appears that every level of cert generation has changed...do I have to start over? Windows is still complaining with new client certificate and yes, system is XP Service Pack 3 so it's pretty much up-to-date Craig
I only re-generated the 'client' certificate but in doing a diff, it appears that every level of cert generation has changed...do I have to start over?
You should. Original Makefile was creating ca certificate that was valid only for 30 days. This one will use value from ca.cnf.
Windows is still complaining with new client certificate and yes, system is XP Service Pack 3 so it's pretty much up-to-date
Then you haven't got the (correct) ca.der certificate in your trusted root certificate store. Ivan Kalik Kalik informatika ISP
On Thu, 2008-12-11 at 01:49 +0100, tnt@kalik.net wrote:
I only re-generated the 'client' certificate but in doing a diff, it appears that every level of cert generation has changed...do I have to start over?
You should. Original Makefile was creating ca certificate that was valid only for 30 days. This one will use value from ca.cnf.
Windows is still complaining with new client certificate and yes, system is XP Service Pack 3 so it's pretty much up-to-date
Then you haven't got the (correct) ca.der certificate in your trusted root certificate store.
I was afraid you were gonna say that... I am honing by BOFH chops...each time I make new certs, I chase the iPhone users through their setup to accept the new cert. ;-) Though I was pretty certain that the certs I was making through my own scripts were right, I thought if I used the cert creation scripts from freeradius, things would just work... OK - I'll look at the cnf options because it would be nice to have more than 30 days anyway Thanks Craig
tnt@kalik.net wrote:
Try attached Makefile. It has been altered so client certificates are signed by the ca and not server certificate. I was unable to "persuade" up-to-date Windows PCs to accept server certificate as an Intermediate CA. Changing the issuer resolved the problem.
Shouldn't that be: $ diff Makefile.20081211 Makefile 92c92 < openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_SERVER) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf ---
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr
-key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf -- REALITY.SYS not found: Universe halted.
Shouldn't that be:
$ diff Makefile.20081211 Makefile 92c92 < openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_SERVER) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf ---
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr
-key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
It should. Ivan Kalik Kalik Informatika ISP
participants (3)
-
Andrew Hood -
Craig White -
tnt@kalik.net