EAP-TLS Certificate problems.

Brian vb nova5radius at gmail.com
Mon Oct 9 17:26:51 CEST 2006 

Recreated certs, same issue came with the Issuer field. XPExtensions are
used. Password is the same in this file an what Freeradius has just changed
to protect it.


Here is the batch file I'm using to create the certs. I don't see anything
amiss between it and the page you sent.. any ideas?


PATH=C:\openssl\bin;C:\ssl1;%path%
export LD_LIBRARY_PATH=C:\openssl\lib
	

CD\SSL1

REM CA Creation
C:\openssl\bin\openssl req -new -x509 -keyout newreq.pem -out newreq.pem
-days 730 -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved

C:\openssl\bin\openssl pkcs12 -export -in newreq.pem -out root.p12 -cacerts
-passin pass:PassCodeRemoved -passout pass:PassCodeRemoved

C:\openssl\bin\openssl pkcs12 -in root.p12 -out root.pem -passin
pass:PassCodeRemoved -passout pass:PassCodeRemoved

C:\openssl\bin\openssl x509 -inform PEM -outform DER -in root.pem -out
root.der

REM Client cert Create
C:\openssl\bin\openssl req -new -keyout newreq.pem -out newreq.pem -days 730
-passin pass:PassCodeRemoved -passout pass:PassCodeRemoved

C:\openssl\bin\openssl ca -policy policy_anything -out newcert.pem -passin
pass:PassCodeRemoved -key PassCodeRemoved -extensions xpclient_ext -extfile
xpexts -infiles newreq.pem

C:\openssl\bin\openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out
cert-clt.p12 -clcerts -passin pass:PassCodeRemoved -passout
pass:PassCodeRemoved

C:\openssl\bin\openssl pkcs12 -in cert-clt.p12 -out cert-clt.pem -passin
pass:PassCodeRemoved -passout pass:PassCodeRemoved

C:\openssl\bin\openssl x509 -inform PEM -outform DER -in cert-clt.pem -out
cert-clt.der

REM Server Cert Create
C:\openssl\bin\openssl req -new -keyout newreq.pem -out newreq.pem -days 730
-passin pass:PassCodeRemoved -passout pass:PassCodeRemoved

C:\openssl\bin\openssl ca -policy policy_anything -out newcert.pem -passin
pass:PassCodeRemoved -key PassCodeRemoved -extensions xpserver_ext -extfile
xpexts -infiles newreq.pem

C:\openssl\bin\openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out
cert-srv.p12 -clcerts -passin pass:PassCodeRemoved -passout
pass:PassCodeRemoved

C:\openssl\bin\openssl pkcs12 -in cert-srv.p12 -out cert-srv.pem -passin
pass:PassCodeRemoved -passout pass:PassCodeRemoved

C:\openssl\bin\openssl x509 -inform PEM -outform DER -in cert-srv.pem -out
cert-srv.der

> -----Original Message-----
> From: freeradius-users-bounces+nova5radius=gmail.com at lists.freeradius.org
> [mailto:freeradius-users-
> bounces+nova5radius=gmail.com at lists.freeradius.org] On Behalf Of Jason
> Wittlin-Cohen
> Sent: Monday, October 09, 2006 12:12 AM
> To: freeradius-users at lists.freeradius.org
> Subject: EAP-TLS Certificate problems.
> 
> Brian vb said: "Ca is in trusted root stores under "Current User", and
> client is in Personal
> under "Current User". One thing I see when viewing the certs is the Root
> has
> "Locker Systems" (using a random name to keep the identity of my company
> out
> of the certs) as the issuer and the client has SSLeay Demoserver.. looks
> like OpenSSL didn't make the certs right for some odd reason.. its like it
> used its own CA root or something else happened. I will recreate the certs
> but I'm quite sure I entered the same data in all certs except commonname
> which I made the same as the machine the cert will reside on. Root ca
> common
> name didn't match any machine name. Where should the CA be? Machine or
> User?"
> 
> First, when you create the server and client certificates you need to use
> the Microsoft attributes for
> Server and Client authentication.
> 
> [ xpclient_ext]
> extendedKeyUsage = 1.3.6.1.5.5.7.3.2
> [ xpserver_ext ]
> extendedKeyUsage = 1.3.6.1.5.5.7.3.1
> 
> I would suggest following the instructions here:
> http://www.linuxjournal.com/node/8095/print
> The howto is for setup of Freeradius on Linux, but it should be similar on
> Windows because
> it's the OpenSSL commands that matter when creating the certs.
> 
> In order to find out if the certificate is correct, you can double click
> the certifcate in the Personal store
> and go to "Certification Path". You should see the certificate common name
> as well as the common name of your Root CA.
> If you don't something is wrong. You should also see "This certificate is
> OK" in the Certificate status box.
> If this isn't the case, either the certificate was signed by the wrong CA,
> or the Root CA wasn't properly loaded into the User
> "Trusted Root Certificate Authorities" store.
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list