Thanks Artur,
Artur Hecker wrote:
hi
Thanks to the EAP/TLS Howto, I was able to setup the radius server
and get all the authentification I needed going.
Now the script, which creates the root certificate, generates
root.pem with a lifetime of 30 days.
After that authentification doesn't work, OK. Last month I recreated
everything. That's a pain...
- How can I extend them? Reuse them? What's the deal?
no reuse. you have to set another expriration date. take a look at the
scripts.
Well, I didn't find any expiration date in my CA.root script.
In openssl.cnf I have:
default_days= 365 # how long to certify for
default_crl_days= 365
These only seem to affect the 'user' certs - gives them one year lifetime.
Using the script in http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm
This is the script CA.root I am using.
---snipsnip---
#!/bin/sh/
SSL=/usr/local/openssl-certgen
export PATH=${SSL}/bin/:${SSL}/ssl/misc:${PATH}
export LD_LIBRARY_PATH=${SSL}/lib
# needed if you need to start from scratch otherwise the CA.pl -newca
command doesn't copy the new
# private key into the CA directories
rm -rf demoCA
echo
*
echo Creating self-signed private key and certificate
echo When prompted override the default value for the Common Name field
echo
*
echo
# Generate a new self-signed certificate.
# After invocation, newreq.pem will contain a private key and certificate
# newreq.pem will be used in the next step
openssl req -new -x509 -keyout newreq.pem -out newreq.pem -passin
pass:whatever -passout pass:whatever
echo
*
echo Creating a new CA hierarchy (used later by the ca command) with
the certificate
echo and private key created in the last step
echo
*
echo
echo newreq.pem | CA.pl -newca /dev/null
echo
*
echo Creating ROOT CA
echo
*
echo
# Create a PKCS#12 file, using the previously created CA certificate/key
# The certificate in demoCA/cacert.pem is the same as in newreq.pem.
Instead of
# using -in demoCA/cacert.pem we could have used -in newreq.pem and
then omitted
# the -inkey newreq.pem because newreq.pem contains both the private
key and certificate
openssl pkcs12 -export -in demoCA/cacert.pem -inkey newreq.pem -out
root.p12 -cacerts -passin pass:whatever -passout pass:whatever
# parse the PKCS#12 file just created and produce a PEM format
certificate and key in root.pem
openssl pkcs12 -in root.p12 -out root.pem -passin pass:whatever -passout
pass:whatever
# Convert root certificate from PEM format to DER format
openssl x509 -inform PEM -outform DER -in root.pem -out root.der
#Clean Up
rm -rf newreq.pem
---snipsnip---
This script creates my 'root.der' file, which I store on the wifi clients.
I have the second box, with software up and running.
But again, the certificates:
- My first attempt - just copying them - didn't work. OK, just a try.
why? what exactly did you copy and what exactly did you certify?
- Second, since the certs are tied to hostname, I recreated them -
guess what...
well, you have to look at what you are doing. are you sure that your
certificates are tied to the host address? because mine are not. and i
doubt that this is verified anyway. the server simply has a pair of
keys and both are signed and one of them (the private) is encrypted.
the posession of the decryption key enables the usage.
AFAIK I have three types of certs, which I need:
filename locationscript-file
root.pem radius-server:/etc/1x CA.root
root.der user-host #created above - derived
server.pem radius-server:/etc/1x CA.svr radius-server
user.p12 user-host CA.clt username
So, server.pem has the hostname in it...
Rather than fixing the way I did it... what about showing me the right
way to do it
Copying / modifying / creating the appropriate certs for a backup radius
server.
ciao
artur
As you can see, I am a bit lost there...
Thanks a lot for your help!
Tom
--
Thomas Maenner
E-Mail: mailto:[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
