I am trying to get OpenSSL to work with Freeradius. I am running the CA.all perl script but am getting errors that I cant find the cause for. I have modified the openssl.cnf to put the defaults for my install. I am seeing errors unable to load certificate and missing directory but don't see anything in the CA.all script that points to the problem. Would appreciate any suggestions.
Ron [EMAIL PROTECTED] ssl]# ./CA.all ################## create private key name : name-root CA.pl -newcert ################## Generating a 1024 bit RSA private key ...++++++ .++++++ writing new private key to 'newreq.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [Kentucky]: Locality Name (eg, city) [Georgetown]: Organization Name (eg, company) [Georgetown College]: Organizational Unit Name (eg, section) [ITS]: Common Name (eg, YOUR name) [Network Manager]: Email Address [EMAIL PROTECTED]: ################## create CA use just created 'newreq.pem' private key as filename CA.pl -newca ################## ################## exporting ROOT CA CA.pl -newreq CA.pl -signreq openssl pkcs12 -export -in demoCA/cacert.pem -inkey newreq.pem -out root.pem openssl pkcs12 -in root.cer -out root.pem ################## No certificate matches private key 22411:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:140: unable to load certificate 22412:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE ################## creating client certificate name : name-clt client certificate stored as cert-clt.pem CA.pl -newreq CA.pl -signreq ################## Generating a 1024 bit RSA private key ........................++++++ ..++++++ writing new private key to 'newreq.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [Kentucky]: Locality Name (eg, city) [Georgetown]: Organization Name (eg, company) [Georgetown College]: Organizational Unit Name (eg, section) [ITS]: Common Name (eg, YOUR name) [Network Manager]: Email Address [EMAIL PROTECTED]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password [whatever]:whatever An optional company name []: Using configuration from /usr/local/openssl/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Nov 3 19:31:02 2004 GMT Not After : Nov 3 19:31:02 2005 GMT Subject: countryName = US stateOrProvinceName = Kentucky localityName = Georgetown organizationName = Georgetown College organizationalUnitName = ITS commonName = Network Manager emailAddress = [EMAIL PROTECTED] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 9B:F9:44:79:B8:2C:EB:07:93:59:5F:FB:22:C7:2A:79:16:E8:4F:98 X509v3 Authority Key Identifier: keyid:EC:B1:D2:59:87:8B:E5:6D:67:C8:0E:94:F1:DE:2C:BA:40:A4:CB:B3 DirName:/C=US/ST=Kentucky/OU=ITS/CN=Network Manager/[EMAIL PROTECTED] serial:00 Certificate is to be certified until Nov 3 19:31:02 2005 GMT (365 days) Sign the certificate? [y/n]:y -passin: No such file or directory 22414:error:02001002:system library:fopen:No such file or directory:bss_file.c:276:fopen('-passin','r') 22414:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:278: No certificate matches private key 22416:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:140: unable to load certificate 22417:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE ################## creating server certificate name : name-srv server certificate stored as cert-srv.pem CA.pl -newreq CA.pl -signreq ################## Generating a 1024 bit RSA private key ........................................++++++ .........................++++++ writing new private key to 'newreq.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [Kentucky]: Locality Name (eg, city) [Georgetown]: Organization Name (eg, company) [Georgetown College]: Organizational Unit Name (eg, section) [ITS]: Common Name (eg, YOUR name) [Network Manager]: Email Address [EMAIL PROTECTED]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password [whatever]: An optional company name []: Using configuration from /usr/local/openssl/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Nov 3 19:31:59 2004 GMT Not After : Nov 3 19:31:59 2005 GMT Subject: countryName = US stateOrProvinceName = Kentucky localityName = Georgetown organizationName = Georgetown College organizationalUnitName = ITS commonName = Network Manager emailAddress = [EMAIL PROTECTED] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 5E:BC:CE:F7:C5:B1:38:54:E8:FA:2A:12:08:A9:06:25:06:55:D6:BD X509v3 Authority Key Identifier: keyid:EC:B1:D2:59:87:8B:E5:6D:67:C8:0E:94:F1:DE:2C:BA:40:A4:CB:B3 DirName:/C=US/ST=Kentucky/OU=ITS/CN=Network Manager/[EMAIL PROTECTED] serial:00 Certificate is to be certified until Nov 3 19:31:59 2005 GMT (365 days) Sign the certificate? [y/n]:y -passin: No such file or directory 22419:error:02001002:system library:fopen:No such file or directory:bss_file.c:276:fopen('-passin','r') 22419:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:278: No certificate matches private key 22421:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:140: unable to load certificate 22422:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE ################## - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html