I am trying to get OpenSSL to work with Freeradius. I am running the
CA.all perl script but am getting errors that I cant find the cause for.
I have modified the openssl.cnf to put the defaults for my install. I
am seeing errors unable to load certificate and missing directory but
don't see anything in the CA.all script that points to the problem.
Would appreciate any suggestions.
Ron
[EMAIL PROTECTED] ssl]# ./CA.all
##################
create private key
name : name-root
CA.pl -newcert
##################
Generating a 1024 bit RSA private key
...++++++
.++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [Kentucky]:
Locality Name (eg, city) [Georgetown]:
Organization Name (eg, company) [Georgetown College]:
Organizational Unit Name (eg, section) [ITS]:
Common Name (eg, YOUR name) [Network Manager]:
Email Address [EMAIL PROTECTED]:
##################
create CA
use just created 'newreq.pem' private key as filename
CA.pl -newca
##################
##################
exporting ROOT CA
CA.pl -newreq
CA.pl -signreq
openssl pkcs12 -export -in demoCA/cacert.pem -inkey
newreq.pem -out root.pem
openssl pkcs12 -in root.cer -out root.pem
##################
No certificate matches private key
22411:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too
long:asn1_lib.c:140:
unable to load certificate
22412:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE
##################
creating client certificate
name : name-clt
client certificate stored as cert-clt.pem
CA.pl -newreq
CA.pl -signreq
##################
Generating a 1024 bit RSA private key
........................++++++
..++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [Kentucky]:
Locality Name (eg, city) [Georgetown]:
Organization Name (eg, company) [Georgetown College]:
Organizational Unit Name (eg, section) [ITS]:
Common Name (eg, YOUR name) [Network Manager]:
Email Address [EMAIL PROTECTED]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password [whatever]:whatever
An optional company name []:
Using configuration from /usr/local/openssl/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 3 19:31:02 2004 GMT
Not After : Nov 3 19:31:02 2005 GMT
Subject:
countryName = US
stateOrProvinceName = Kentucky
localityName = Georgetown
organizationName = Georgetown College
organizationalUnitName = ITS
commonName = Network Manager
emailAddress = [EMAIL PROTECTED]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
9B:F9:44:79:B8:2C:EB:07:93:59:5F:FB:22:C7:2A:79:16:E8:4F:98
X509v3 Authority Key Identifier:
keyid:EC:B1:D2:59:87:8B:E5:6D:67:C8:0E:94:F1:DE:2C:BA:40:A4:CB:B3
DirName:/C=US/ST=Kentucky/OU=ITS/CN=Network
Manager/[EMAIL PROTECTED]
serial:00
Certificate is to be certified until Nov 3 19:31:02 2005 GMT (365 days)
Sign the certificate? [y/n]:y
-passin: No such file or directory
22414:error:02001002:system library:fopen:No such file or
directory:bss_file.c:276:fopen('-passin','r')
22414:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:278:
No certificate matches private key
22416:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too
long:asn1_lib.c:140:
unable to load certificate
22417:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE
##################
creating server certificate
name : name-srv
server certificate stored as cert-srv.pem
CA.pl -newreq
CA.pl -signreq
##################
Generating a 1024 bit RSA private key
........................................++++++
.........................++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [Kentucky]:
Locality Name (eg, city) [Georgetown]:
Organization Name (eg, company) [Georgetown College]:
Organizational Unit Name (eg, section) [ITS]:
Common Name (eg, YOUR name) [Network Manager]:
Email Address [EMAIL PROTECTED]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password [whatever]:
An optional company name []:
Using configuration from /usr/local/openssl/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 3 19:31:59 2004 GMT
Not After : Nov 3 19:31:59 2005 GMT
Subject:
countryName = US
stateOrProvinceName = Kentucky
localityName = Georgetown
organizationName = Georgetown College
organizationalUnitName = ITS
commonName = Network Manager
emailAddress = [EMAIL PROTECTED]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
5E:BC:CE:F7:C5:B1:38:54:E8:FA:2A:12:08:A9:06:25:06:55:D6:BD
X509v3 Authority Key Identifier:
keyid:EC:B1:D2:59:87:8B:E5:6D:67:C8:0E:94:F1:DE:2C:BA:40:A4:CB:B3
DirName:/C=US/ST=Kentucky/OU=ITS/CN=Network
Manager/[EMAIL PROTECTED]
serial:00
Certificate is to be certified until Nov 3 19:31:59 2005 GMT (365 days)
Sign the certificate? [y/n]:y
-passin: No such file or directory
22419:error:02001002:system library:fopen:No such file or
directory:bss_file.c:276:fopen('-passin','r')
22419:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:278:
No certificate matches private key
22421:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too
long:asn1_lib.c:140:
unable to load certificate
22422:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE
##################
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
