Server certificate confusion
Nick Howitt
nick at howitts.co.uk
Tue Apr 17 15:35:22 CEST 2018
On 17/04/2018 13:55, Alan DeKok wrote:
> On Apr 17, 2018, at 5:24 AM, Nick Howitt <nick at howitts.co.uk> wrote:
>> Replying to my own post.
>>
>> There was a permission problem which I've now fixed, but I still get failure:
>> eapol_test:
>>
>> (6) eap_tls: ERROR: SSL says error 26 : unsupported certificate
>> purpose
> That means that the certificate hierarchy is wrong. i.e. cert A has created cert B, but cert A doesn't have OIDs which say it's allowed to create sub-certificates.
>
> Newer versions of OpenSSL check these settings. Older versions of OpenSSL didn't do that.
>
> How did you create the certificates? The scripts in the raddb/certs directory should work, so using those would probably help.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks for the reply. The distro, ClearOS is working in a slightly funny
way. The CA is created from (adjusted expanding the variables with the
config file):
openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep
default_days /etc/raddb/certs/ca.cnf | sed 's/.*=//;s/^ *//'` -config
/etc/raddb/certs/ca.cnf
It is a little tortuous with how it gets here, but it is using the
default ca.cnf file using freeradius-3.0.13-8.el7_4.x86_64. Checking the
generated CA, I see:
X509v3 Basic Constraints: critical
CA:TRUE
Nick
More information about the Freeradius-Users
mailing list