EAP-TLS Certificate problems.

Jason-Wittlin-Cohen jasonwc at brandeis.edu
Mon Oct 9 19:42:03 CEST 2006


> Message: 7
> Date: Mon, 9 Oct 2006 11:26:51 -0400
> From: "Brian vb" <nova5radius at gmail.com>
> Subject: RE: EAP-TLS Certificate problems.
> To: "'FreeRadius users mailing list'"
> 	<freeradius-users at lists.freeradius.org>
> Message-ID: <000f01c6ebb7$59118220$be01010a at lightwave>
> Content-Type: text/plain;	charset="us-ascii"
>
> Recreated certs, same issue came with the Issuer field. XPExtensions are
> used. Password is the same in this file an what Freeradius has just changed
> to protect it.
>
>
> Here is the batch file I'm using to create the certs. I don't see anything
> amiss between it and the page you sent.. any ideas?
>
>
> PATH=C:\openssl\bin;C:\ssl1;%path%
> export LD_LIBRARY_PATH=C:\openssl\lib
>
>
> CD\SSL1
>
> REM CA Creation
> C:\openssl\bin\openssl req -new -x509 -keyout newreq.pem -out newreq.pem
> -days 730 -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved
>
> C:\openssl\bin\openssl pkcs12 -export -in newreq.pem -out root.p12 -cacerts
> -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved
>
> C:\openssl\bin\openssl pkcs12 -in root.p12 -out root.pem -passin
> pass:PassCodeRemoved -passout pass:PassCodeRemoved
>
> C:\openssl\bin\openssl x509 -inform PEM -outform DER -in root.pem -out
> root.der

I'm not sure what you're doing here. First, "> C:\openssl\bin\openssl
req -new -x509 -keyout newreq.pem -out newreq.pem
> -days 730 -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved"

You're outputting the private key and public key to the same file. I'm
not sure if this will include both in the same file, or only create
one. Regardless, it's not what you want to do. Give the files unique
names. The clients and server need the public key and only the
certificate signing machine needs the private key. You don't want to
combine the keys.

To create a CA:

openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days
365 -config openssl.cnf

Also, why are you creating a p12 file for the CA? You certainly don't
want to hand out the private key to clients, and for certificate
signing, you only need the private key which can be stored in
cakey.pem for example. Clients should be given cacert.pem or
cacert.der depending on the format you use. The p12 format should only
be used for client certs because those need to combine private key +
certificate (at least for the MS supplicant).

>
> REM Client cert Create
> C:\openssl\bin\openssl req -new -keyout newreq.pem -out newreq.pem -days 730
> -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved

Again, -keyout is used to creaate the private key, and -out to create
the certificate signing request which is then passed on to the CA
later. You're using the same filename, so I have no idea what's
happening. Either you have a certificate signing request and no key,
or a key without a signing request. Either way, it won't work.


You need to do something like this:

openssl req -new -keyout client_key.pem \
-out client_req.pem -days 730 -config ./openssl.cnf

Notice that the key and the signing request are given different names.

>
> C:\openssl\bin\openssl ca -policy policy_anything -out newcert.pem -passin
> pass:PassCodeRemoved -key PassCodeRemoved -extensions xpclient_ext -extfile
> xpexts -infiles newreq.pem
>
> C:\openssl\bin\openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out
> cert-clt.p12 -clcerts -passin pass:PassCodeRemoved -passout
> pass:PassCodeRemoved
>
> C:\openssl\bin\openssl pkcs12 -in cert-clt.p12 -out cert-clt.pem -passin
> pass:PassCodeRemoved -passout pass:PassCodeRemoved
>
> C:\openssl\bin\openssl x509 -inform PEM -outform DER -in cert-clt.pem -out
> cert-clt.der

So, you convert from a PEM certificate and PEM key, to a P12 cert+key,
to a PEM cert+key to  DER cert+key. Why? The P12 cert+key will work
fine.

>
> REM Server Cert Create
> C:\openssl\bin\openssl req -new -keyout newreq.pem -out newreq.pem -days 730
> -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved

Again, the key and certificate signing request must be given different
names or else your setup will fail.

>
> C:\openssl\bin\openssl ca -policy policy_anything -out newcert.pem -passin
> pass:PassCodeRemoved -key PassCodeRemoved -extensions xpserver_ext -extfile
> xpexts -infiles newreq.pem
>

Do you need these steps? Freeradius will use a seperate certificate
and key in PEM format. It works fine for me. It seems like your setup
is overly complex. Keep it simple, and see if it works. Then you can
change file formats- etc.

For now, just make the changes I recommended and see if it gives you a
working CA and client/server certificates.

> C:\openssl\bin\openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out
> cert-srv.p12 -clcerts -passin pass:PassCodeRemoved -passout
> pass:PassCodeRemoved
>
> C:\openssl\bin\openssl pkcs12 -in cert-srv.p12 -out cert-srv.pem -passin
> pass:PassCodeRemoved -passout pass:PassCodeRemoved
>
> C:\openssl\bin\openssl x509 -inform PEM -outform DER -in cert-srv.pem -out
> cert-srv.der
>

Jason Wittlin-Cohen





More information about the Freeradius-Users mailing list