Am 13.02.2012 10:32, schrieb Alan DeKok:
Please respond to the original email, not a digest, and use a good
subject line. It helps other people track the conversation.
Gilmour, Scott wrote:
Alan,
I already have certificates created on my 2008 Server so I want to
use those certificates on my Ubuntu Server without creating new ones.
That's fine.
If you use a MS CA please be aware that by default 2k8 CAs create
certificates signed with SHA-256bit - many systems (including XP and Win
2003 without a patch) are NOT able to deal with those certificates, as
they only support SHA1. Once the CA has been setup, there is no easy way
to change this.
Also, usually MS CAs include some mandatory extensions in their CRLs
which OpenSSL can not read as well. You need to remove these extensions
in the CRL configuration.
You mentioned my openssl configuration is wrong. Any suggestions on
how I can fix the openssl configuration?
The file raddb/certs/Makefile creates good certificates. The *cnf
files in the same directory create good certificates. I don't know
what
you're doing different, and it isn't really useful to look.
Grab the certificate creation commands from the Makefile, and use
those. Modify them to point to your files. It *will* work.
There's a lot of magic in creating good certs. That magic is
embedded
in the existing Makefile and config files. Use them, they will make
your life easier.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Mit freundlichen Grüßen / with kind regards
Rudolph Bott
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html