Failure with "TLS authentication" and "Freeradius on Fefora-17"
Ajay Garg
ajaygargnsit at gmail.com
Mon Jan 7 21:32:57 CET 2013
John,
I am confused.
I will be grateful if you could specify the sequence of commands to be
run after "make destroycerts".
Note that ::
a)
Running JUST "make client" generates "client.pem" and "ca.pem", but no
"server.pem".
b)
Running JUST "make" generates "server.pem" and "ca.pem", but no
"client.pem".
On Tue, Jan 8, 2013 at 1:44 AM, John Dennis <jdennis at redhat.com> wrote:
> On 01/07/2013 02:41 PM, Ajay Garg wrote:
>
>> Upon restarting, it shows a "missing server.pem" error.
>> I reckon that we need to run "make server" too at some point of time (so
>> that "server.pem" gets generated after "make destroycerts").
>>
>
> make destroycerts should have removed all the pem files and keys. After
> running make again it will generate all new files. client has a dependency
> on ca and server files so it should have created a new ca, new server key
> and cert, a new client cert. Did it?
>
> Just to be clear, your client needs to trust the CA that signed your
> server cert and the server needs to trust the CA that signed your client
> cert. Typically those are located on two different machines. Make sure
> those line up or you're doomed. It's not clear to me which machines you're
> running these commands on and where you're copying the resulting files, but
> that's critical to get right. You can use the same CA to sign both the
> server cert and the client cert, but that's not a requirement, it just
> helps simplify the deployment a tad bit.
>
>
> HOWEVER, I am now confused which "ca.pem" to consider, the one generated
>> via "make server", or the one generated via "make client"?
>>
>
> Argh... you really need to be much more clear with what you're doing. If
> you're running the cert creation commands on different machines and leaving
> the results on that machine this will never work.
>
> Make sure you understand the RELATIONSHIP BETWEEN A CERTIFICATE AND IT'S
> SIGNER (issuing CA) and how that translates to the configuration parameters
> for each software component (see above).
>
>
> --
> John Dennis <jdennis at redhat.com>
>
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
--
Regards,
Ajay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130108/57b778fa/attachment.html>
More information about the Freeradius-Users
mailing list