Re: CA.all script failing

Tue, 06 Jan 2004 07:16:05 -0800

This thing happens when certificates share common data. You cannot have two certificates that look otherwise the same.

You have the same thing in the server's certificate and the client's certificate. You can use a different "Common Name". (don't use commonName_default in openssl.cnf)

Jean-Paul.

Hello,

I'm trying to set up freeradius to use EAP-TLS, using the CA.all script inc=
luded with=20
the distribution to generate the necessary server and client certificates. =
I'm using=20
the CVS snapshot from 11/20/2003, with openssl 0.9.7c. openssl is installed=
 in=20
/usr/local/ssl, and I'm running the script from the /usr/local/ssl/certs di=
rectory.

Here's the output I get at the end at the step where the server cert is gen=
erated:

Certificate is to be certified until Nov 24 00:42:41 2004 GMT (365 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2
+ openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out cert-srv.p1=
2 -clcerts=20
-pa
ssin pass:whatever -passout pass:whatever
No certificate matches private key
+ openssl pkcs12 -in cert-srv.p12 -out cert-srv.pem -passin pass:whatever -=
passout=20
pass:w
hatever
23242:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too=20
long:asn1_lib.c:14
0:
+ openssl x509 -inform PEM -outform DER -in cert-srv.pem -out cert-srv.der
unable to load certificate
23243:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:=
Expecting:=20
TRU
STED CERTIFICATE
+ echo -e '\n\t\t##################\n'

##################

And here is the state of the certs directory:

-rwxr-xr-x    1 root     staff        3119 Nov 21 17:52 CA.all
-rw-r--r--    1 root     staff        9304 Nov 24 19:43 CA_output
-rw-r--r--    1 root     staff         689 Nov 24 19:42 cert-clt.der
-rw-r--r--    1 root     staff        1709 Nov 24 19:42 cert-clt.p12
-rw-r--r--    1 root     staff        2389 Nov 24 19:42 cert-clt.pem
-rw-r--r--    1 root     staff           0 Nov 24 19:42 cert-srv.p12
-rw-r--r--    1 root     staff           0 Nov 24 19:42 cert-srv.pem
drwxr-sr-x    6 root     staff        4096 Nov 24 19:42 demoCA
-rw-r--r--    1 root     staff           0 Nov 24 19:42 newcert.pem
-rw-r--r--    1 root     staff        1667 Nov 24 19:42 newreq.pem
-rw-r--r--    1 root     staff         906 Nov 24 19:42 root.der
-rw-r--r--    1 root     staff        1925 Nov 24 19:42 root.p12
-rw-r--r--    1 root     staff        2681 Nov 24 19:42 root.pem
-rw-r--r--    1 root     staff         148 Nov 21 18:29 xpextensions

Can someone take a look at this and possible tell me if I'm doing anything =
wrong? I=20
scripted the entre output of CA.all, so I can send as an attachment if requ=
ested.

Thanks,

-Chris



- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to