EAP-TLS Certificate problems.

Brian vb nova5radius at gmail.com
Wed Oct 11 00:54:39 CEST 2006


Got it up and running. Partially your help, and partially me going and
forcefully breaking something to see what errors cropped up. Renamed the
original PEM directory in OpenSSL and all sorts of errors popped up that led
me to the discovery it was still using the DemoCA's CA to make the client
and server certs, and not the CA created by the script. I've since got that
fixed and it all works perfect now.

Best way to fix a noncritial is to break it and see what goes really wrong!
;)

Thanks,
Brian.

> -----Original Message-----
> From: freeradius-users-bounces+nova5radius=gmail.com at lists.freeradius.org
> [mailto:freeradius-users-
> bounces+nova5radius=gmail.com at lists.freeradius.org] On Behalf Of Jason-
> Wittlin-Cohen
> Sent: Monday, October 09, 2006 1:45 PM
> To: freeradius-users at lists.freeradius.org
> Subject: RE: EAP-TLS Certificate problems.
> 
> > Date: Mon, 9 Oct 2006 11:26:51 -0400
> > From: "Brian vb" <nova5radius at gmail.com>
> > Subject: RE: EAP-TLS Certificate problems.
> > To: "'FreeRadius users mailing list'"
> > 	<freeradius-users at lists.freeradius.org>
> > Message-ID: <000f01c6ebb7$59118220$be01010a at lightwave>
> > Content-Type: text/plain;	charset="us-ascii"
> >
> > Recreated certs, same issue came with the Issuer field. XPExtensions are
> > used. Password is the same in this file an what Freeradius has just
> changed
> > to protect it.
> >
> >
> > Here is the batch file I'm using to create the certs. I don't see
> anything
> > amiss between it and the page you sent.. any ideas?
> >
> >
> > PATH=C:\openssl\bin;C:\ssl1;%path%
> > export LD_LIBRARY_PATH=C:\openssl\lib
> >
> >
> > CD\SSL1
> >
> > REM CA Creation
> > C:\openssl\bin\openssl req -new -x509 -keyout newreq.pem -out newreq.pem
> > -days 730 -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved
> >
> > C:\openssl\bin\openssl pkcs12 -export -in newreq.pem -out root.p12 -
> cacerts
> > -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved
> >
> > C:\openssl\bin\openssl pkcs12 -in root.p12 -out root.pem -passin
> > pass:PassCodeRemoved -passout pass:PassCodeRemoved
> >
> > C:\openssl\bin\openssl x509 -inform PEM -outform DER -in root.pem -out
> > root.der
> 
> I'm not sure what you're doing here. First, "> C:\openssl\bin\openssl
> req -new -x509 -keyout newreq.pem -out newreq.pem
> > -days 730 -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved"
> 
> You're outputting the private key and public key to the same file. I'm
> not sure if this will include both in the same file, or only create
> one. Regardless, it's not what you want to do. Give the files unique
> names. The clients and server need the public key and only the
> certificate signing machine needs the private key. You don't want to
> combine the keys.
> 
> To create a CA:
> 
> openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days
> 365 -config openssl.cnf
> 
> Also, why are you creating a p12 file for the CA? You certainly don't
> want to hand out the private key to clients, and for certificate
> signing, you only need the private key which can be stored in
> cakey.pem for example. Clients should be given cacert.pem or
> cacert.der depending on the format you use. The p12 format should only
> be used for client certs because those need to combine private key +
> certificate (at least for the MS supplicant).
> 
> >
> > REM Client cert Create
> > C:\openssl\bin\openssl req -new -keyout newreq.pem -out newreq.pem -days
> 730
> > -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved
> 
> Again, -keyout is used to creaate the private key, and -out to create
> the certificate signing request which is then passed on to the CA
> later. You're using the same filename, so I have no idea what's
> happening. Either you have a certificate signing request and no key,
> or a key without a signing request. Either way, it won't work.
> 
> 
> You need to do something like this:
> 
> openssl req -new -keyout client_key.pem \
> -out client_req.pem -days 730 -config ./openssl.cnf
> 
> Notice that the key and the signing request are given different names.
> 
> >
> > C:\openssl\bin\openssl ca -policy policy_anything -out newcert.pem -
> passin
> > pass:PassCodeRemoved -key PassCodeRemoved -extensions xpclient_ext -
> extfile
> > xpexts -infiles newreq.pem
> >
> > C:\openssl\bin\openssl pkcs12 -export -in newcert.pem -inkey newreq.pem
> -out
> > cert-clt.p12 -clcerts -passin pass:PassCodeRemoved -passout
> > pass:PassCodeRemoved
> >
> > C:\openssl\bin\openssl pkcs12 -in cert-clt.p12 -out cert-clt.pem -passin
> > pass:PassCodeRemoved -passout pass:PassCodeRemoved
> >
> > C:\openssl\bin\openssl x509 -inform PEM -outform DER -in cert-clt.pem -
> out
> > cert-clt.der
> 
> So, you convert from a PEM certificate and PEM key, to a P12 cert+key,
> to a PEM cert+key to  DER cert+key. Why? The P12 cert+key will work
> fine.
> 
> >
> > REM Server Cert Create
> > C:\openssl\bin\openssl req -new -keyout newreq.pem -out newreq.pem -days
> 730
> > -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved
> 
> Again, the key and certificate signing request must be given different
> names or else your setup will fail.
> 
> >
> > C:\openssl\bin\openssl ca -policy policy_anything -out newcert.pem -
> passin
> > pass:PassCodeRemoved -key PassCodeRemoved -extensions xpserver_ext -
> extfile
> > xpexts -infiles newreq.pem
> >
> 
> Do you need these steps? Freeradius will use a seperate certificate
> and key in PEM format. It works fine for me. It seems like your setup
> is overly complex. Keep it simple, and see if it works. Then you can
> change file formats- etc.
> 
> For now, just make the changes I recommended and see if it gives you a
> working CA and client/server certificates.
> 
> > C:\openssl\bin\openssl pkcs12 -export -in newcert.pem -inkey newreq.pem
> -out
> > cert-srv.p12 -clcerts -passin pass:PassCodeRemoved -passout
> > pass:PassCodeRemoved
> >
> > C:\openssl\bin\openssl pkcs12 -in cert-srv.p12 -out cert-srv.pem -passin
> > pass:PassCodeRemoved -passout pass:PassCodeRemoved
> >
> > C:\openssl\bin\openssl x509 -inform PEM -outform DER -in cert-srv.pem -
> out
> > cert-srv.der
> >
> 
> Jason Wittlin-Cohen
> 
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list