Certificate creation????

Andrew Street andy at tisias.com
Wed Jun 1 08:59:47 CEST 2005

Hi Andreas,

Had the same problem recently - it's due to the -next_serial option 
being unsupported in your version of OpenSSL but the CA.pl script 
requiring it! The -next_serial option was introduced in OpenSSL version 
0.9.7e :

Changes between 0.9.7d and 0.9.7e  [XX xxx XXXX]
  -  *)
  +  *) Reduce the chances of duplicate issuer name and serial numbers (in
  +     violation of RFC3280) using the OpenSSL certificate creation utilities. 
  +     This is done by creating a random 64 bit value for the initial serial
  +     number when a serial number file is created or when a self signed
  +     certificate is created using 'openssl req -x509'. The initial serial
  +     number file is created using 'openssl x509 -next_serial' in CA.pl
  +     rather than being initialized to 1.
  +     [Steve Henson]

I'm had installed 0.9.7g without removing an existing version of openssl 
(0.9.7d). I don't know if this is your problem but I would try removing 
all versions of openSSL and reinstalling 0.9.7g - everything should work 
when the CA.pl script and the openssl versions are 'in-line'

Hope this helps

Andy Street

Andreas Korber wrote:

>What i am doing wrong? The creation of my certificates for EAP/TLS with
>CA.all or CA.certs always end with an message like this:
>Country Name (2 letter code) [AU]:State or Province Name (full name)
>[Some-State]:Locality Name (eg, city) []:Organization Name (eg, company)
>[Internet Widgits Pty Ltd]:Organizational Unit Name (eg, section) []:Common
>Name (eg, YOUR name) []:Email Address []:
>Please enter the following 'extra' attributes
>to be sent with your certificate request
>A challenge password []:An optional company name []:Using configuration from
>./demoCA/serial: No such file or directory
>error while loading serial number
>3164:error:02001002:system library:fopen:No such file or
>3164:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:278:
>Failed to do sign certificate
>radius:/usr/local/etc/raddb/certs #
>So i looked for the serial file. But it dosn´t exist. I think because of an
>earlier message:
>CA certificate filename (or enter to create)
>unknown option -next_serial
>usage: x509 args
> -inform arg     - input format - default PEM (one of DER, NET or PEM)
> -outform arg    - output format - default PEM (one of DER, NET or PEM)
> -keyform arg    - private key format - default PEM
> -CAform arg     - CA format - default PEM
> -CAkeyform arg  - CA key format - default PEM
> -in arg         - input file - default stdin
> -out arg        - output file - default stdout
> -passin arg     - private key password source
> -serial         - print serial number value
> -hash           - print hash value
> -subject        - print subject DN
> -issuer         - print issuer DN
> -email          - print email address(es)
> -startdate      - notBefore field
> -enddate        - notAfter field
> -purpose        - print out certificate purposes
> -dates          - both Before and After dates
> -modulus        - print the RSA key modulus
> -pubkey         - output the public key
> -fingerprint    - print the certificate fingerprint
> -alias          - output certificate alias
> -noout          - no certificate output
> -ocspid         - print OCSP hash values for the subject name and public
> -trustout       - output a "trusted" certificate
> -clrtrust       - clear all trusted purposes
> -clrreject      - clear all rejected purposes
> -addtrust arg   - trust certificate for a given purpose
> -addreject arg  - reject certificate for a given purpose
> -setalias arg   - set certificate alias
> -days arg       - How long till expiry of a signed certificate - def 30
> -checkend arg   - check whether the cert expires in the next arg seconds
>                   exit 1 if so, 0 if not
> -signkey arg    - self sign cert with arg
> -x509toreq      - output a certification request object
> -req            - input is a certificate request, sign and output.
> -CA arg         - set the CA certificate, must be PEM format.
> -CAkey arg      - set the CA key, must be PEM format
>                   missing, it is assumed to be in the CA file.
> -CAcreateserial - create serial number file if it does not exist
> -CAserial arg   - serial file
> -set_serial     - serial number to use
> -text           - print the certificate in text form
> -C              - print out C code forms
> -md2/-md5/-sha1/-mdc2 - digest to use
> -extfile        - configuration file with X509V3 extensions to add
> -extensions     - section from config file with X509V3 extensions to add
> -clrext         - delete extensions before signing and input certificate
> -nameopt arg    - various certificate name options
> -engine e       - use engine e, possibly a hardware device.
> -certopt arg    - various certificate text options
>Can anyone help me plaese??
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list