Server certificate confusion

Nick Howitt nick at howitts.co.uk
Wed Apr 18 13:36:08 CEST 2018



On 18/04/2018 12:23, Stefan Winter wrote:
> Hi,
>
>> I've reverted the set up to use the standard Freeradius certs and I've
>> been through the certs README, deleting all certificates  and recreating
>> the ca.pem and server certs (btw I think the order in the README is
>> wrong as you need to create the server.csr before the server.pem) and
>> I've hit the same "(6) eap_tls:   ERROR: SSL says error 26 : unsupported
>> certificate purpose" issue when running eapol_test with the new certs.
> Can you paste both the CA's and the server's PEM representation into a
> mail on the list?
>
> Stefan
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I've just recreated them as I had to remove the extension for testing. 
Note I have increased the validity of both in the cnf files to 3650d; 
everything else is at default.
 From "history":
   994  cd /etc/raddb/certs
   995  rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt*
   996  make ca.pem
   997  server.csr
   998  make server.csr
   999  make server.pem
  1000  openssl x509 -text -noout -in server.pem
  1001  history

ca.pem:
-----BEGIN CERTIFICATE-----
MIIE5DCCA8ygAwIBAgIJANMWAroiOxufMA0GCSqGSIb3DQEBCwUAMIGTMQswCQYD
VQQGEwJGUjEPMA0GA1UECAwGUmFkaXVzMRIwEAYDVQQHDAlTb21ld2hlcmUxFTAT
BgNVBAoMDEV4YW1wbGUgSW5jLjEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhhbXBs
ZS5vcmcxJjAkBgNVBAMMHUV4YW1wbGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4X
DTE4MDQxODExMjczM1oXDTI4MDQxNTExMjczM1owgZMxCzAJBgNVBAYTAkZSMQ8w
DQYDVQQIDAZSYWRpdXMxEjAQBgNVBAcMCVNvbWV3aGVyZTEVMBMGA1UECgwMRXhh
bXBsZSBJbmMuMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFtcGxlLm9yZzEmMCQG
A1UEAwwdRXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQC5jRl/IZsBPOvH1Vdua8yCt1NchL8j9aWAth7v
z+mw7gG+pZegojz97M1+wQZiTeZwuR5XclAc/zpsv3u9stU+fR2hfMOBse9/bzaz
wRUrhtN6kKPNGA0lMmbbNwus6AQnrgRXQOyvgmET0B+OHsVBqtWTGzq7IA7X0c5Y
jcHj6zN4PwTg/2PfM59Ir2vcVO5hpLVYda0qK3GDoh8WfwpCvWgjt5YsFd7ARSUY
Nf2hmHETzXSxx0tAFF+Hk/iFwXGeQFSXbrvh18Trgs3lmX4d0ehKXwgPjF4kY5IG
2yAjcTQWWGnoRE8fl9/yG6hBIOd6xNrabSIh2eiKreui1oZdAgMBAAGjggE3MIIB
MzAdBgNVHQ4EFgQUOYtRuUCNkemvqYjtAokDb0sAHEYwgcgGA1UdIwSBwDCBvYAU
OYtRuUCNkemvqYjtAokDb0sAHEahgZmkgZYwgZMxCzAJBgNVBAYTAkZSMQ8wDQYD
VQQIDAZSYWRpdXMxEjAQBgNVBAcMCVNvbWV3aGVyZTEVMBMGA1UECgwMRXhhbXBs
ZSBJbmMuMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFtcGxlLm9yZzEmMCQGA1UE
AwwdRXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHmCCQDTFgK6IjsbnzAPBgNV
HRMBAf8EBTADAQH/MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly93d3cuZXhhbXBs
ZS5vcmcvZXhhbXBsZV9jYS5jcmwwDQYJKoZIhvcNAQELBQADggEBACfUwu20Djg4
Vz80P3Q5LtzLLQ+M8ndEn8QaWDEbQKP60Wlj3nD3FT+jCNovov2xgH18z2d6q2bE
vqCN8884Sy0xIjuROwPhG1CFJ4oJ9rJmcjKqBcpr81UiM0hCf2OqLFPCHZRfAjMb
RMmF0Vf3Cb/44Xqf10zYLe1fT++3Kj3QYGgn2YKVkmB++XH4FRux2pNoeImlKaP3
78KZB4GobraydEpxGJbvoD58TJ7/b1NGlPFgaC07aDZLhSfiSsRoN0Dt95VOZpWO
vSxh8Yv6h9g9kxU6Nx0Up0LS23qvWcIhkbQkF0H7gQ2ECH6UN4CNdNvpLPPX5kjZ
0eCj1CL9j4g=
-----END CERTIFICATE-----

server.pem:
Bag Attributes
     localKeyID: AD A7 E8 29 BB 2F C9 69 4F 75 2E F4 EF 80 70 99 B1 75 
04 37
subject=/C=FR/ST=Radius/O=Example Inc./CN=Example Server 
Certificate/emailAddress=admin at example.org
issuer=/C=FR/ST=Radius/L=Somewhere/O=Example 
Inc./emailAddress=admin at example.org/CN=Example Certificate Authority
-----BEGIN CERTIFICATE-----
MIID2jCCAsKgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBkzELMAkGA1UEBhMCRlIx
DzANBgNVBAgMBlJhZGl1czESMBAGA1UEBwwJU29tZXdoZXJlMRUwEwYDVQQKDAxF
eGFtcGxlIEluYy4xIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUub3JnMSYw
JAYDVQQDDB1FeGFtcGxlIENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xODA0MTgx
MTI4MDhaFw0yODA0MTUxMTI4MDhaMHwxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIDAZS
YWRpdXMxFTATBgNVBAoMDEV4YW1wbGUgSW5jLjEjMCEGA1UEAwwaRXhhbXBsZSBT
ZXJ2ZXIgQ2VydGlmaWNhdGUxIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUu
b3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApAY39TBW76KKMYQ3
CSeXT7PtoRB1FtWKE1qVKRQOP2y/I9hSBJxbknKdhcpE3diORoWKh0qwjFKY+7as
Ehq9zVELbcO7fvTT663Cn9uBIwQ517RMJZjf6ks7N3LB9nmwi2iC0lmq/OS8mMNF
hZdK2QfWoDxRwBcT0z/WIrNJyYluJAtKISzejqP27rjh1ZI/WnxY/S+8VXdCwcR4
PtuyqSdOhC7q8EF8vIjG6H13G2V2/vmVrXQ7VokxWQ8F83vmRZVC2vcgYd5Qp813
/7YVL6C5g6CJgbz7AcJVwmT5P1W7xY9lOCz7bavdbPGewV7kONxQQrub+ZdKrJKX
uP13GwIDAQABo08wTTATBgNVHSUEDDAKBggrBgEFBQcDATA2BgNVHR8ELzAtMCug
KaAnhiVodHRwOi8vd3d3LmV4YW1wbGUuY29tL2V4YW1wbGVfY2EuY3JsMA0GCSqG
SIb3DQEBCwUAA4IBAQBBTf/njNLVZdM4ZoLQnO+GLLTN335PXGL4ufYtA38kncQJ
doSGaJTKllJdqCs+CRwNGVd2LE7Ahx0Rfj3m0J9YRmGzd5fdHRoWyqbED4nIrswd
ErhTbM7e34GnyhXeFcFYdEH8kczysOsKzRFSBQQKkKg7dIxE9AUyB13wsMeWWEcQ
DmINh6oan458/eXInqIvv7mc0JTJh+TuYFXYk738rSj6Tj4KloasG0rvCcTNmHWd
ojouFuypcJQASPUvIfM6zkkdKtnTI4OJYbidy/rI6LcPj2m1MV7poGwibVhuxmcK
jYb8EaNYormuKJ19HEXoKxLp5AM2wgDwCGae762k
-----END CERTIFICATE-----
Bag Attributes
     localKeyID: AD A7 E8 29 BB 2F C9 69 4F 75 2E F4 EF 80 70 99 B1 75 
04 37
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIDXoPxieDQy0CAggA
MBQGCCqGSIb3DQMHBAhvyXKp13L/JASCBMiuLfezZw39A9Z9YppLHYfxh9rhBHm/
vgUUzsiybokGnXJOCa/W8noUOTL3xF0rdsZmjo+B/eoOAdMUyYBLAxZYbZOutlBH
XFZhVxWdkT2H0+SWn2opT7sRIxWfjsSfZQDHYJ3YLng3kNkDjUaiet+3SVs/30j1
sobLZviGLftWqo5vnlWP6BpzvWruge0qFaSy3BMO5dF0G7J6ZHs1vnxseT9NUvHo
p+z8di3P3fpv8cBnA4lA/4PPEeKw7A6vcklvilKlFzYoNbwQaoPRxyT7yRODbINs
44Ypd+agDRpxWjZoNKFLlEViCOkt2d6twU5ngi8u2Cy67NhhbuuXbPDUO25sAzAl
myRwnEJkc77801fus8PncyAQlD1gyEiFaaMo4xSbJpa8de31Z6FLzpReLetRE+In
7gtXdHvSArkYP6KkveuywBZ3w73tmpQ8hFaP8fpf0/DbqQpMI2AWd1mYvmOMl4oW
6skl/Pw6HOrrpQEnFY22uvyhac6dlOghlbKRpXfM/IXqmkxBiM7oaOcCwk3D14++
2rfQB7O9fbD/BceSbFgC9Q8yHEWTEh5q6075I27nYjvR3XOxgkMGty/X7nQ/pNLz
YDw7zwW+RAQ5u23NNikrwXFBx9T8DjizpcMIR+3HK78XaVyyHBaek5OWXQpm/q3Z
89odhJVRhAE/zc+lW+r3HmT99TY7o2pPPboU/yJJSpNimYiBJdAYgHOS58Cs5WW0
6dKvZl9LLfWJ6xgvxcf6wXsSLQyErkorAwuI2gL8jx5CKAmGKWICmhggzOhNNTEX
RUzXMaqjwEH3pvr9/431U5xscuFf6JKveqUVEDDkRAV7IEaCxr1uCBlpTGjx/ltQ
0WRyTos1Zmfxru3qSUm4Xltwl9ZMJs5VInw6wl1hOK4ktIVPuZ2/okkbiF6bsYyt
fvCaBZyOn9rBnPcMD7gx8Q5wPqMXipDKhgciN90b5kG3OI26pFz4u7YsTKclXrFC
pDn86/t8twBtP2ML4yl9XMfPcoIfWhDFmKZRHhSlfFM9d55PABD1Tg0CPE+/RdSq
Ayh0xB/Iw9AVxJFK9LM8IJGCAgm+0Zw8nnIfJ6HJLCno8yIySpR7HfvxZpEAhdUv
EUSkuMukkJUR0vNMmuNoJWXWaV4o+yZXIvB7wtwlFBbTjLddZtVZ45IRly8rmP7F
V/8gz2QLTRVz9GJM46nPS9U+zTbTPPi/76r/sfrtW6Rwlt2cw0V29JrUNW0GNXig
eZS0iS1P69VBOGLXRA95heteDoDcCnspuEQedD8nPdogOFRbBSR8REFFpxuZU7vf
m9FdluJ+U5SwZUBu+QEIMZmOBtqxQAa7HThSVjMujUmdejl2irhVoL1V4X9rKbML
8VvOdkuhaNSp8v1PehYM2+P4GdDw8wSgOldpu1FcPXbA7q1ZVhXVOfLlPi/GCxcF
jBGKCn7hcsp/55dNo68dLTaqB3KY5d64rn9gjEuBOHpGj2gn6RdrESaGGQnuGI0S
20cSEiAf3JqcBcPektjYNbiTpwsE0StiQQEdrT7Oo/lrZqPmu7yD32W/QKwSr/a6
IXOfcCSdMo9V7Iyti9LV/rfTkmXuUHetAtVQGJqdZjevSz5ct5UeLeGIuDGXDCsk
cn4=
-----END ENCRYPTED PRIVATE KEY-----

It is a temporary cert so I don't mind publishing the key which is in 
the server.pem.
Regards,
Nick


More information about the Freeradius-Users mailing list