Hi, I have Ubuntu Server installed and I have a Windows 2008 Server Certificate Authority When I type the openssl command I keep on getting this error: CA certificate and CA private key do not match Any help or suggestions would be appreciated. Thanks Scott
Ps. I was able to get Samba to work after loading the lates server Ubuntu 11.10. Thanks for everyones help. root@FreeRadius:/etc/freeradius/certs# openssl ca -policy policy_anything -out certificate.pem -passin pass:enterasys -key enterasys -extensions xpserver_ext -extfile xpextensions -infiles server.csr Using configuration from /usr/lib/ssl/openssl.cnf CA certificate and CA private key do not match 3074058392:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:318: root@FreeRadius:/etc/freeradius/certs# root@FreeRadius:/etc/freeradius/certs# openssl req -new -nodes -keyout mykey.pem -out server.csrGenerating a 1024 bit RSA private key .......++++++ ........++++++ writing new private key to 'mykey.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:MA Locality Name (eg, city) []:Andover Organization Name (eg, company) [Internet Widgits Pty Ltd]:Enterasys.com Organizational Unit Name (eg, section) []:SQA Common Name (eg, YOUR name) []:Scott Email Address []:s...@enterasys.com Please enter the following 'extra' attributes to be sent with your certificate request enterasys []:enterasys An optional company name []:Enterasys root@FreeRadius:/etc/freeradius/certs# root@FreeRadius:/etc/freeradius/certs# openssl pkcs12 -in "SQA 2008 System Certificate.p12" -out ca.pem Enter Import Password: MAC verified OK Enter PEM pass phrase: Verifying - Enter PEM pass phrase: root@FreeRadius:/etc/freeradius/certs# openssl ca -policy policy_anything -out certificate.pem -passin pass:enterasys -key enterasys -extensions xpserver_ext -extfile xpextensions -infiles server.csr Using configuration from /usr/lib/ssl/openssl.cnf CA certificate and CA private key do not match 3074058392:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:318: root@FreeRadius:/etc/freeradius/certs# OpenSSL.cnf file: # OpenSSL example configuration file. # This is mostly being used for generation of certificate requests. # # This definition stops the following lines choking if HOME isn't # defined. HOME = . RANDFILE = $ENV::HOME/.rnd # Extra OBJECT IDENTIFIER info: #oid_file = $ENV::HOME/.oid oid_section = new_oids # To use this configuration file with the "-extfile" option of the # "openssl x509" utility, name here the section containing the # X.509v3 extensions to use: # extensions = # (Alternatively, use a configuration file that has only # X.509v3 extensions in its main [= default] section.) [ new_oids ] # We can add new OIDs in here for use by 'ca', 'req' and 'ts'. # Add a simple OID like this: # testoid1=1.2.3.4 # Or use config file substitution like this: # testoid2=${testoid1}.5.6 # Policies used by the TSA examples. tsa_policy1 = 1.2.3.4.1 tsa_policy2 = 1.2.3.4.5.6 tsa_policy3 = 1.2.3.4.5.7 #################################################################### [ ca ] default_ca = CA_default # The default ca section #################################################################### [ CA_default ] dir = /etc/freeradius # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are keptcd .. database = $dir/index.txt # database index file. #unique_subject = no # Set to 'no' to allow creation of # several ctificates with same subject. new_certs_dir = $dir/certs # default place for new certs. certificate = $certs/ca.pem # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $certs/mykey.pem # The private key RANDFILE = $certs/random # private random number file x509_extensions = usr_cert # The extentions to add to the cert Directions I am Using: The second way of doing this, which is not very neat, is as follows: >From the computer where your freeradius is, you generate a request and a >private key by: shell:~ # openssl req -new -nodes -keyout mykey.pem -out server.csr The challenge password is important because it'll be used in the freeradius configuration The file mykey.pem is the private key. Copy this file to /usr/local/etc/raddb/certs shell:~ # cp mykey.pem /usr/local/etc/raddb/certs Then, from the computer where your CA authority is, open a Command prompt window and type: C:\>certutil -backup directory It will prompt you for the password for your private key and will generate a backup of your CA private and public key inside the directory "directory". Let's say that your password is "password". Then, go to "directory" C:\>cd directory And copy the file "Certification Authority.p12" to the computer where your FreeRadius is. This file contains both your CA's private and public keys. Then, from your freeradius computer, you need to convert this file to a format more "manageable". shell:~ # openssl pkcs12 -in "Certification Authority.p12" -out ca.pem Then, you need to modify your /etc/ssl/openssl.cnf file. Locate the section [ CA_default ] and modify the lines certificate and private_key, so they point to the file you generated in the last step. Those lines should look like: certificate = /root/ca.pem private_key = /root/ca.pem Once you have finished doing these changes, then create a file called xpextensions with the following contents: [ xpserver_ext ] extendedKeyUsage = 1.3.6.1.5.5.7.3.1 This is required to add the extension needed for your certificate. Then shell:~ # openssl ca -policy policy_anything -out certificate.pem -passin pass:password -key password -extensions xpserver_ext -extfile xpextensions -infiles server.csr Delete the file server.csr shell:~ # rm server.csr And copy the files ca.pem and certificate.pem to /usr/local/etc/raddb/certs shell:~ # cp ca.pem certificate.pem /usr/local/etc/raddb/certs It is preferable to delete all info about the private key from the file ca.pem, but it is up to you. Now edit your eap.conf file and you are done. A sample eap.conf is at the end of this guide. Configure your clients to use PEAP, check the checkbox "Validate server certificate" and select your Trusted Root Certification Authority from the list. SAMPLE EAP.CONF eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no tls { private_key_password = #The challenge password you have chosen when you generated your private key private_key_file = ${raddbdir}/certs/mykey.pem certificate_file = ${raddbdir}/certs/certificate.pem CA_file = ${raddbdir}/certs/ca.pem dh_file = ${raddbdir}/certs/dh random_file = /dev/urandom fragment_size = 1024 include_length = yes } peap { default_eap_type = mschapv2 } mschapv2 { } }
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html