On 01/07/2013 02:41 PM, Ajay Garg wrote:
Upon restarting, it shows a "missing server.pem" error. I reckon that we need to run "make server" too at some point of time (so that "server.pem" gets generated after "make destroycerts").
make destroycerts should have removed all the pem files and keys. After running make again it will generate all new files. client has a dependency on ca and server files so it should have created a new ca, new server key and cert, a new client cert. Did it?
Just to be clear, your client needs to trust the CA that signed your server cert and the server needs to trust the CA that signed your client cert. Typically those are located on two different machines. Make sure those line up or you're doomed. It's not clear to me which machines you're running these commands on and where you're copying the resulting files, but that's critical to get right. You can use the same CA to sign both the server cert and the client cert, but that's not a requirement, it just helps simplify the deployment a tad bit.
HOWEVER, I am now confused which "ca.pem" to consider, the one generated via "make server", or the one generated via "make client"?
Argh... you really need to be much more clear with what you're doing. If you're running the cert creation commands on different machines and leaving the results on that machine this will never work.
Make sure you understand the RELATIONSHIP BETWEEN A CERTIFICATE AND IT'S SIGNER (issuing CA) and how that translates to the configuration parameters for each software component (see above).
-- John Dennis <jden...@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
