Self Signed Certs Fail - pem/der

Steven Sprague steven at sprague-enterprises.com
Tue Sep 15 03:57:33 CEST 2009


Yes, 

Before I tried for the second time to make self signed certs - I did use
the command prompt command in the CA doc to delete everything *.pem.
*.der, etc.

>edit ca.cnf, server.cnf and client.cnf to ensure that
>everything matches and expects the same organisation etc...
>then you can re-run the bootstrap and it'll be fine

I thought you only needed to edit the ca.cnf if you needed to make self signed root certs 
for EAP-PEAP clients. I did not see any note that said you needed to make the same edits to the 
server.cnf and client.cnf's ??

Any way, If that is required I will give a go. Just so I am sure "what
has to be changed" in the *.cnf's for this to work - please confirm by
looking at what I intend to edit = *

[ req ]
prompt			= no
distinguished_name       = certificate_authority
default_bits		= 2048
* input_password         = whatever
* output_password        = whatever
x509_extensions		= v3_ca

[certificate_authority]
* countryName	         = FR
* stateOrProvinceName	 = Radius
* localityName		= Somewhere
* organizationName       = Example Inc.
* emailAddress		= admin at example.com
* commonName		= "Example Certificate Authority"

Steven


-----Original Message-----
From: Alan Buxey <A.L.M.Buxey at lboro.ac.uk>
Subject: Re: Self Signed Certs Fail - pem/der

Hi,

> For some unknown reason my self certs failed to work in either client.
> After trying this twice and have both attempts fail I regenerated the
> original CA’s for “example” using ./bootstrap, the old CA.cnf file  - they
> both worked for my clients (Linux/WinXP)

you need to ensure all the old stuff is gone..

cd $place/raddb/certs
make clean
make destroycerts

edit ca.cnf, server.cnf and client.cnf to ensure that
everything matches and expects the same organisation etc
then you can re-run the bootstrap and it'll be fine
(or should be!)

PS this is for a modern version - eg 2.1.6

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
Steven Sprague <steven at sprague-enterprises.com>


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.





More information about the Freeradius-Users mailing list