Re: eap-ttls failing

Tue, 27 Jan 2009 07:44:09 -0800 

>I did find the Makefile. Thanks! I tried to do a make caclient.pem but
>it threw this error:
>
>openssl req -new  -out caclient.csr -keyout caclient.key -config
>../client.cnf
>Generating a 2048 bit RSA private key
>............+++
>........+++
>writing new private key to 'caclient.key'
>-----
>openssl ca -batch -keyfile ca.key -cert ca.pem -in caclient.csr  -key
>`grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out caclient.crt
>-extensions xpclient_ext -extfile xpextensions -config ./client.cnf
>Using configuration from ./client.cnf
>wrong number of fields on line 1 (looking for field 6, got 1, '' left)
>make: *** [caclient.crt] Error 1
>
>I dont need to re-do my CA and server cert prior to making the client
>certs do I?
>
>Here is my client.cnf. Its almost as if it doesnt understand that it
>needs to take the values from [ CA_default ]
>
>[ ca ]
>default_ca              = CA_default
>
>[ CA_default ]
>dir                     = ./
>certs                   = $dir
>crl_dir                 = $dir/crl
>database                = $dir/index.txt
>new_certs_dir           = $dir
>certificate             = $dir/server.pem
>serial                  = $dir/serial
>crl                     = $dir/crl.pem
>private_key             = $dir/server.key
>RANDFILE                = $dir/.rand
>name_opt                = ca_default
>cert_opt                = ca_default
>default_days            = 7300
>default_crl_days        = 30
>default_md              = sha1
>preserve                = no
>policy                  = policy_match
>
>[ policy_match ]
>countryName             = match
>stateOrProvinceName     = match
>organizationName        = match
>localityName            = optional
>organizationalUnitName  = optional
>commonName              = supplied
>emailAddress            = optional
>
>[ policy_anything ]
>countryName             = optional
>stateOrProvinceName     = optional
>localityName            = optional
>organizationName        = optional
>organizationalUnitName  = optional
>commonName              = supplied
>emailAddress            = optional
>
>[ req ]
>prompt                  = no
>distinguished_name      = client
>default_bits            = 2048
>input_password          = <hidden>
>output_password         = <hidden>
>
>[client]
>countryName             = US
>stateOrProvinceName     = Michigan
>localityName            = Hancock
>organizationName        = REMC1
>emailAddress            = supp...@remc1.net
>

I'll check again. You cant make both client and caclient certificates
for the same user (you have to revoke one in order to make the other).
You don't need new CA and server certificates.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to