suddenly problem with certificates / error in SSLv3 read client certificate B
John Dennis
jdennis at redhat.com
Wed Jan 23 20:58:29 CET 2013
On 01/23/2013 01:53 PM, Stephan Manske wrote:
> IMHO these patch
> https://github.com/FreeRADIUS/freeradius-server/commit/2d3f119cd8d9e99028f968db1ee108eb6f05db09#raddb/certs/Makefile
>
> with
>
> +ca.key ca.pem: ca.cnf index.txt serial
>
> makes ca.key dependant to the date of index.txt and serial
>
> Both files are updated every time a new client cert is build. IMHO.
Good catch! Yes, every time you generate a client cert both the database
(index.txt) and the serial number file are updated. The database file
keeps a record of every cert issued by the CA. The serial file is used
so the CA knows the next serial number to use.
The cert generation only works once, the next client cert issue causes a
new CA key/cert to be generated.
But there is another problem as well. The client.cnf file embeds the
cert subject name. Apparently the openssl ca command will not update the
database if there already is a cert with the same subject, which there
will be unless you edit the client.cnf file. This causes the ca command
to fail. It doesn't matter if the cert with the duplicate subject has a
different serial number.
As for why in different circumstances you've seen openssl emit the error
about incomplete data my best guess is the client files might have be
corrupted when the ca command failed. If it were only a CA key change
issue you should have just gotten a bad signature verification failure.
HTH,
John
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeradius-Users
mailing list