there is a script that comes with the freeradius source (perhaps bins aswell) that generates you new certs. for me the script is @ /usr/src/freeradius-1.1.6/scripts/CA.all
iirc that will generate you all the certs u need and read default options from your openssl config file. You will have to copy across your new certs once done (be sure to backup 1st). good luck. On 4/27/07, member alsuki <[EMAIL PROTECTED]> wrote: > Hello, list. > > I'm having some problems implementing freeradius on opensuse box. > I've followed the toturial at novell and as a test i've used the default CA > and certs that camed with the freeradius rpm. > This worked very good the server started and every thing seamed nice. > Then i made my own CA and certs, 1st a 4096 and then a 1024 bits, but no > luck in either cases. > Is there a limit to the length of the certs and CA keys? > I've google to find if there was some info on this but no luck. > Can anyone help me on this? > > This is a radiusd -X -A output. > > Starting - reading configuration files ... > reread_config: reading radiusd.conf > Config: including file: /etc/raddb/proxy.conf > Config: including file: /etc/raddb/clients.conf > Config: including file: /etc/raddb/snmp.conf > Config: including file: /etc/raddb/eap.conf > Config: including file: /etc/raddb/sql.conf > main: prefix = "/usr" > main: localstatedir = "/var" > main: logdir = "/var/log/radius" > main: libdir = "/usr/lib/freeradius" > main: radacctdir = "/var/log/radius/radacct" > main: hostname_lookups = no > main: max_request_time = 30 > main: cleanup_delay = 5 > main: max_requests = 1024 > main: delete_blocked_requests = 0 > main: port = 0 > main: allow_core_dumps = no > main: log_stripped_names = no > main: log_file = "/var/log/radius/radius.log" > main: log_auth = no > main: log_auth_badpass = no > main: log_auth_goodpass = no > main: pidfile = "/var/run/radiusd/radiusd.pid" > main: bind_address = 10.10.0.1 IP address [10.10.0.1] > main: user = "radiusd" > main: group = "radiusd" > main: usercollide = no > main: lower_user = "no" > main: lower_pass = "no" > main: nospace_user = "no" > main: nospace_pass = "no" > main: checkrad = "/usr/sbin/checkrad" > main: proxy_requests = yes > proxy: retry_delay = 5 > proxy: retry_count = 3 > proxy: synchronous = no > proxy: default_fallback = yes > proxy: dead_time = 120 > proxy: post_proxy_authorize = no > proxy: wake_all_if_all_dead = no > security: max_attributes = 200 > security: reject_delay = 1 > security: status_server = no > main: debug_level = 0 > read_config_files: reading dictionary > read_config_files: reading naslist > read_config_files: reading clients > read_config_files: reading realms > radiusd: entering modules setup > Module: Library search path is /usr/lib/freeradius > Module: Loaded exec > exec: wait = yes > exec: program = "(null)" > exec: input_pairs = "request" > exec: output_pairs = "(null)" > exec: packet_type = "(null)" > rlm_exec: Wait=yes but no output defined. Did you mean output=none? > Module: Instantiated exec (exec) > Module: Loaded expr > Module: Instantiated expr (expr) > Module: Loaded PAP > pap: encryption_scheme = "crypt" > Module: Instantiated pap (pap) > Module: Loaded CHAP > Module: Instantiated chap (chap) > Module: Loaded MS-CHAP > mschap: use_mppe = yes > mschap: require_encryption = yes > mschap: require_strong = yes > mschap: with_ntdomain_hack = no > mschap: passwd = "(null)" > mschap: ntlm_auth = "(null)" > Module: Instantiated mschap (mschap) > Module: Loaded System > unix: cache = no > unix: passwd = "(null)" > unix: shadow = "(null)" > unix: group = "(null)" > unix: radwtmp = "/var/log/radius/radwtmp" > unix: usegroup = no > unix: cache_reload = 600 > Module: Instantiated unix (unix) > Module: Loaded eap > eap: default_eap_type = "peap" > eap: timer_expire = 60 > eap: ignore_unknown_eap_types = no > eap: cisco_accounting_username_bug = no > rlm_eap: Loaded and initialized type md5 > rlm_eap: Loaded and initialized type leap > gtc: challenge = "Password: " > gtc: auth_type = "PAP" > rlm_eap: Loaded and initialized type gtc > tls: rsa_key_exchange = no > tls: dh_key_exchange = yes > tls: rsa_key_length = 512 > tls: dh_key_length = 512 > tls: verify_depth = 0 > tls: CA_path = "(null)" > tls: pem_file_type = yes > tls: private_key_file = "/etc/raddb/certs/cert-srv.pem" > tls: certificate_file = "/etc/raddb/certs/cert-srv.pem" > tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem" > tls: private_key_password = "whatever" > tls: dh_file = "/etc/raddb/certs/dh" > tls: random_file = "/etc/raddb/certs/random" > tls: fragment_size = 1024 > tls: include_length = yes > tls: check_crl = no > tls: check_cert_cn = "(null)" > tls: cipher_list = "(null)" > tls: check_cert_issuer = "(null)" > rlm_eap_tls: Loading the certificate file as a chain > rlm_eap: SSL error error:06065064:digital envelope > routines:EVP_DecryptFinal_ex:bad decrypt > rlm_eap_tls: Error reading private key file > rlm_eap: Failed to initialize type tls > radiusd.conf[10]: eap: Module instantiation failed. > radiusd.conf[1941] Unknown module "eap". > radiusd.conf[1888] Failed to parse authenticate section. > > Thanks for any help that may came from this list. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
