Cetificates to Use with Ubuntu Server

Gilmour, Scott sgilmour at enterasys.com
Sun Feb 12 01:39:35 CET 2012


Hi,
I have Ubuntu Server installed and I have a Windows 2008 Server Certificate Authority
When I type the openssl command I keep on getting this error:  CA certificate and CA private key do not match
  Any help or suggestions would be appreciated.
Thanks
Scott

Ps.  I was able to get Samba to work after loading the lates server Ubuntu 11.10.  Thanks for everyones help.

root at FreeRadius:/etc/freeradius/certs# openssl ca -policy policy_anything -out certificate.pem -passin pass:enterasys -key enterasys -extensions xpserver_ext -extfile xpextensions -infiles server.csr
Using configuration from /usr/lib/ssl/openssl.cnf
CA certificate and CA private key do not match
3074058392:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:318:
root at FreeRadius:/etc/freeradius/certs#

root at FreeRadius:/etc/freeradius/certs# openssl req -new -nodes -keyout mykey.pem -out server.csrGenerating a 1024 bit RSA private key
.......++++++
........++++++
writing new private key to 'mykey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:MA
Locality Name (eg, city) []:Andover
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Enterasys.com
Organizational Unit Name (eg, section) []:SQA
Common Name (eg, YOUR name) []:Scott
Email Address []:SQA at enterasys.com

Please enter the following 'extra' attributes
to be sent with your certificate request
enterasys []:enterasys
An optional company name []:Enterasys
root at FreeRadius:/etc/freeradius/certs#
root at FreeRadius:/etc/freeradius/certs# openssl pkcs12 -in "SQA 2008 System Certificate.p12" -out ca.pem
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
root at FreeRadius:/etc/freeradius/certs# openssl ca -policy policy_anything -out certificate.pem -passin pass:enterasys -key enterasys -extensions xpserver_ext -extfile xpextensions -infiles server.csr
Using configuration from /usr/lib/ssl/openssl.cnf
CA certificate and CA private key do not match
3074058392:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:318:
root at FreeRadius:/etc/freeradius/certs#

OpenSSL.cnf file:
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#

# This definition stops the following lines choking if HOME isn't
# defined.
HOME                 = .
RANDFILE             = $ENV::HOME/.rnd

# Extra OBJECT IDENTIFIER info:
#oid_file            = $ENV::HOME/.oid
oid_section          = new_oids

# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions         =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)

[ new_oids ]

# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6

# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7

####################################################################
[ ca ]
default_ca    = CA_default         # The default ca section

####################################################################
[ CA_default ]

dir           = /etc/freeradius           # Where everything is kept
certs         = $dir/certs         # Where the issued certs are kept
crl_dir       = $dir/crl           # Where the issued crl are keptcd ..

database      = $dir/index.txt     # database index file.
#unique_subject      = no                 # Set to 'no' to allow creation of
                                   # several ctificates with same subject.
new_certs_dir = $dir/certs         # default place for new certs.

certificate   = $certs/ca.pem      # The CA certificate
serial        = $dir/serial               # The current serial number
crlnumber     = $dir/crlnumber     # the current crl number
                                   # must be commented out to leave a V1 CRL
crl           = $dir/crl.pem              # The current CRL
private_key   = $certs/mykey.pem          # The private key
RANDFILE      = $certs/random      # private random number file

x509_extensions      = usr_cert           # The extentions to add to the cert




Directions I am Using:
The second way of doing this, which is not very neat, is as follows:


>From the computer where your freeradius is, you generate a request and a private key by:

   shell:~ # openssl req -new -nodes -keyout mykey.pem -out server.csr

The challenge password is important because it'll be used in the freeradius configuration
The file mykey.pem is the private key. Copy this file to /usr/local/etc/raddb/certs

   shell:~ # cp mykey.pem /usr/local/etc/raddb/certs

Then, from the computer where your CA authority is, open a Command prompt window and type:

   C:\>certutil -backup directory

It will prompt you for the password for your private key and will generate a backup of your CA private and public key inside the directory "directory". Let's say that your password is "password".
Then, go to "directory"

   C:\>cd directory

And copy the file "Certification Authority.p12" to the computer where your FreeRadius is. This file contains both your CA's private and public keys. Then, from your freeradius computer, you need to convert this file to a format more "manageable".

   shell:~ # openssl pkcs12 -in "Certification Authority.p12" -out ca.pem

Then, you need to modify your /etc/ssl/openssl.cnf file. Locate the section [ CA_default ] and modify the lines certificate and private_key, so they point to the file you generated in the last step. Those lines should look like:

certificate    = /root/ca.pem
private_key    = /root/ca.pem

Once you have finished doing these changes, then create a file called xpextensions with the following contents:

[ xpserver_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1

This is required to add the extension needed for your certificate. Then

   shell:~ # openssl ca -policy policy_anything -out certificate.pem -passin pass:password -key password -extensions xpserver_ext -extfile xpextensions -infiles server.csr

Delete the file server.csr

   shell:~ # rm server.csr

And copy the files ca.pem and certificate.pem to /usr/local/etc/raddb/certs

   shell:~ # cp ca.pem certificate.pem /usr/local/etc/raddb/certs

It is preferable to delete all info about the private key from the file ca.pem, but it is up to you.
Now edit your eap.conf file and you are done. A sample eap.conf is at the end of this guide.
Configure your clients to use PEAP, check the checkbox "Validate server certificate" and select your Trusted Root Certification Authority from the list.

SAMPLE EAP.CONF
eap {
                default_eap_type = peap
                timer_expire     = 60
                ignore_unknown_eap_types = no
                cisco_accounting_username_bug = no

                tls {
                        private_key_password = #The challenge password you have chosen when you generated your private key
                        private_key_file = ${raddbdir}/certs/mykey.pem
                        certificate_file = ${raddbdir}/certs/certificate.pem
                        CA_file = ${raddbdir}/certs/ca.pem
                        dh_file = ${raddbdir}/certs/dh
                        random_file = /dev/urandom
                        fragment_size = 1024
                        include_length = yes
                }
                peap {
                        default_eap_type = mschapv2
                }
                mschapv2 {
                }
        }


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120212/005849d8/attachment.html>


More information about the Freeradius-Users mailing list