Certificate creation????
Hi,
What i am doing wrong? The creation of my certificates for EAP/TLS with
CA.all or CA.certs always end with an message like this:
-
Country Name (2 letter code) [AU]:State or Province Name (full name)
[Some-State]:Locality Name (eg, city) []:Organization Name (eg, company)
[Internet Widgits Pty Ltd]:Organizational Unit Name (eg, section) []:Common
Name (eg, YOUR name) []:Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:An optional company name []:Using configuration from
/etc/ssl/openssl.cnf
./demoCA/serial: No such file or directory
error while loading serial number
3164:error:02001002:system library:fopen:No such file or
directory:bss_file.c:276:fopen('./demoCA/serial','r')
3164:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:278:
Failed to do sign certificate
radius:/usr/local/etc/raddb/certs #
So i looked for the serial file. But it dosn´t exist. I think because of an
earlier message:
CA certificate filename (or enter to create)
unknown option -next_serial
usage: x509 args
-inform arg - input format - default PEM (one of DER, NET or PEM)
-outform arg- output format - default PEM (one of DER, NET or PEM)
-keyform arg- private key format - default PEM
-CAform arg - CA format - default PEM
-CAkeyform arg - CA key format - default PEM
-in arg - input file - default stdin
-out arg- output file - default stdout
-passin arg - private key password source
-serial - print serial number value
-hash - print hash value
-subject- print subject DN
-issuer - print issuer DN
-email - print email address(es)
-startdate - notBefore field
-enddate- notAfter field
-purpose- print out certificate purposes
-dates - both Before and After dates
-modulus- print the RSA key modulus
-pubkey - output the public key
-fingerprint- print the certificate fingerprint
-alias - output certificate alias
-noout - no certificate output
-ocspid - print OCSP hash values for the subject name and public
key
-trustout - output a "trusted" certificate
-clrtrust - clear all trusted purposes
-clrreject - clear all rejected purposes
-addtrust arg - trust certificate for a given purpose
-addreject arg - reject certificate for a given purpose
-setalias arg - set certificate alias
-days arg - How long till expiry of a signed certificate - def 30
days
-checkend arg - check whether the cert expires in the next arg seconds
exit 1 if so, 0 if not
-signkey arg- self sign cert with arg
-x509toreq - output a certification request object
-req- input is a certificate request, sign and output.
-CA arg - set the CA certificate, must be PEM format.
-CAkey arg - set the CA key, must be PEM format
missing, it is assumed to be in the CA file.
-CAcreateserial - create serial number file if it does not exist
-CAserial arg - serial file
-set_serial - serial number to use
-text - print the certificate in text form
-C - print out C code forms
-md2/-md5/-sha1/-mdc2 - digest to use
-extfile- configuration file with X509V3 extensions to add
-extensions - section from config file with X509V3 extensions to add
-clrext - delete extensions before signing and input certificate
-nameopt arg- various certificate name options
-engine e - use engine e, possibly a hardware device.
-certopt arg- various certificate text options
Can anyone help me plaese??
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate creation????
"Andreas Korber" <[EMAIL PROTECTED]> wrote: > What i am doing wrong? The creation of my certificates for EAP/TLS with > CA.all or CA.certs always end with an message like this: It looks like the version of OpenSSL you have is different than the one the script is expecting. At this point, I suggest reading the OpenSSL documentation on how to create certificates. The CA.all & CA.certs scripts will help you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate creation????
Hi Andreas,
Had the same problem recently - it's due to the -next_serial option
being unsupported in your version of OpenSSL but the CA.pl script
requiring it! The -next_serial option was introduced in OpenSSL version
0.9.7e :
Changes between 0.9.7d and 0.9.7e [XX xxx ]
- *)
+ *) Reduce the chances of duplicate issuer name and serial numbers (in
+ violation of RFC3280) using the OpenSSL certificate creation utilities.
+ This is done by creating a random 64 bit value for the initial serial
+ number when a serial number file is created or when a self signed
+ certificate is created using 'openssl req -x509'. The initial serial
+ number file is created using 'openssl x509 -next_serial' in CA.pl
+ rather than being initialized to 1.
+ [Steve Henson]
I'm had installed 0.9.7g without removing an existing version of openssl
(0.9.7d). I don't know if this is your problem but I would try removing
all versions of openSSL and reinstalling 0.9.7g - everything should work
when the CA.pl script and the openssl versions are 'in-line'
Hope this helps
Andy Street
Andreas Korber wrote:
Hi,
What i am doing wrong? The creation of my certificates for EAP/TLS with
CA.all or CA.certs always end with an message like this:
-
Country Name (2 letter code) [AU]:State or Province Name (full name)
[Some-State]:Locality Name (eg, city) []:Organization Name (eg, company)
[Internet Widgits Pty Ltd]:Organizational Unit Name (eg, section) []:Common
Name (eg, YOUR name) []:Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:An optional company name []:Using configuration from
/etc/ssl/openssl.cnf
./demoCA/serial: No such file or directory
error while loading serial number
3164:error:02001002:system library:fopen:No such file or
directory:bss_file.c:276:fopen('./demoCA/serial','r')
3164:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:278:
Failed to do sign certificate
radius:/usr/local/etc/raddb/certs #
So i looked for the serial file. But it dosn´t exist. I think because of an
earlier message:
CA certificate filename (or enter to create)
unknown option -next_serial
usage: x509 args
-inform arg - input format - default PEM (one of DER, NET or PEM)
-outform arg- output format - default PEM (one of DER, NET or PEM)
-keyform arg- private key format - default PEM
-CAform arg - CA format - default PEM
-CAkeyform arg - CA key format - default PEM
-in arg - input file - default stdin
-out arg- output file - default stdout
-passin arg - private key password source
-serial - print serial number value
-hash - print hash value
-subject- print subject DN
-issuer - print issuer DN
-email - print email address(es)
-startdate - notBefore field
-enddate- notAfter field
-purpose- print out certificate purposes
-dates - both Before and After dates
-modulus- print the RSA key modulus
-pubkey - output the public key
-fingerprint- print the certificate fingerprint
-alias - output certificate alias
-noout - no certificate output
-ocspid - print OCSP hash values for the subject name and public
key
-trustout - output a "trusted" certificate
-clrtrust - clear all trusted purposes
-clrreject - clear all rejected purposes
-addtrust arg - trust certificate for a given purpose
-addreject arg - reject certificate for a given purpose
-setalias arg - set certificate alias
-days arg - How long till expiry of a signed certificate - def 30
days
-checkend arg - check whether the cert expires in the next arg seconds
exit 1 if so, 0 if not
-signkey arg- self sign cert with arg
-x509toreq - output a certification request object
-req- input is a certificate request, sign and output.
-CA arg - set the CA certificate, must be PEM format.
-CAkey arg - set the CA key, must be PEM format
missing, it is assumed to be in the CA file.
-CAcreateserial - create serial number file if it does not exist
-CAserial arg - serial file
-set_serial - serial number to use
-text - print the certificate in text form
-C - print out C code forms
-md2/-md5/-sha1/-mdc2 - digest to use
-extfile- configuration file with X509V3 extensions to add
-extensions - section from config file with X509V3 extensions to add
-clrext - delete extensions before signing and input certificate
-nameopt arg- various certificate name options
-engine e - use engine e, possibly a hardware device.
-certopt arg- various certificate text options
Can anyone help me plaese??
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS: Certificate creation doesn't work (Debian)
Hi!
I'm using Freeradius 1.1.3 under Debian Etch! I want to configure
Freeradius with EAP-TLS in my network but there some problems with the
certficate creation.
I get this message when i run the file "certs.sh" in the "docs/
freeradius/examples/" directory:
##
create private key
name : name-root
CA.pl -newcert
##
Generating a 1024 bit RSA private key
.++
++
writing new private key to 'newreq.pem'
-
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name
or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-
Country Name (2 letter code) [AU]:State or Province Name (full name)
[Some-State]:Locality Name (eg, city) []:Organization Name (eg,
company) [Internet Widgits Pty Ltd]:Organizational Unit Name (eg,
section) []:Common Name (eg, YOUR name) []:Email Address []:
##
create CA
use just created 'newreq.pem' private key as filename
CA.pl -newca
##
CA certificate filename (or enter to create)
##
exporting ROOT CA
CA.pl -newreq
CA.pl -signreq
openssl pkcs12 -export -in demoCA/cacert.pem -inkey newreq.pem -
out root.pem
openssl pkcs12 -in root.cer -out root.pem
##
MAC verified OK
##
creating client certificate
name : name-clt
client certificate stored as cert-clt.pem
CA.pl -newreq
CA.pl -signreq
##
Generating a 1024 bit RSA private key
..++
.++
writing new private key to 'newreq.pem'
-
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name
or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-
Country Name (2 letter code) [AU]:State or Province Name (full name)
[Some-State]:Locality Name (eg, city) []:Organization Name (eg,
company) [Internet Widgits Pty Ltd]:Organizational Unit Name (eg,
section) []:Common Name (eg, YOUR name) []:Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:An optional company name []:Using
configuration from /usr/lib/ssl/openssl.cnf
./demoCA/serial: No such file or directory
error while loading serial number
11733:error:02001002:system library:fopen:No such file or
directory:bss_file.c:352:fopen('./demoCA/serial','r')
11733:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
Failed to do sign certificate
I think the 6 last lines are important and i search for a "serial"
file, but i doesn't exist. Are there other users with this problem?
How can i solve this problem?
Mfg
Julian
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS: Certificate creation doesn't work (Debian)
you have to look at certs.sh and modify the paths in that file.
aswell the openssl.cnf file.
its a kindda workaround but i dont have a better way.
or you can
echo 00 > serial
On 15/12/2007, Julian Stöver <[EMAIL PROTECTED]> wrote:
>
> Hi!
> I'm using Freeradius 1.1.3 under Debian Etch! I want to configure
> Freeradius with EAP-TLS in my network but there some problems with the
> certficate creation.
>
> I get this message when i run the file "certs.sh" in the "docs/
> freeradius/examples/" directory:
>
>
> > ##
> > create private key
> > name : name-root
> > CA.pl -newcert
> > ##
> >
> > Generating a 1024 bit RSA private key
> > .++
> > ++
> > writing new private key to 'newreq.pem'
> > -
> > You are about to be asked to enter information that will be
> > incorporated
> > into your certificate request.
> > What you are about to enter is what is called a Distinguished Name
> > or a DN.
> > There are quite a few fields but you can leave some blank
> > For some fields there will be a default value,
> > If you enter '.', the field will be left blank.
> > -
> > Country Name (2 letter code) [AU]:State or Province Name (full name)
> > [Some-State]:Locality Name (eg, city) []:Organization Name (eg,
> > company) [Internet Widgits Pty Ltd]:Organizational Unit Name (eg,
> > section) []:Common Name (eg, YOUR name) []:Email Address []:
> > ##
> > create CA
> > use just created 'newreq.pem' private key as filename
> > CA.pl -newca
> > ##
> >
> > CA certificate filename (or enter to create)
> >
> > ##
> > exporting ROOT CA
> > CA.pl -newreq
> > CA.pl -signreq
> > openssl pkcs12 -export -in demoCA/cacert.pem -inkey
> newreq.pem -
> > out root.pem
> > openssl pkcs12 -in root.cer -out root.pem
> > ##
> >
> > MAC verified OK
> >
> > ##
> > creating client certificate
> > name : name-clt
> > client certificate stored as cert-clt.pem
> > CA.pl -newreq
> > CA.pl -signreq
> > ##
> >
> > Generating a 1024 bit RSA private key
> > ..++
> > .++
> > writing new private key to 'newreq.pem'
> > -
> > You are about to be asked to enter information that will be
> > incorporated
> > into your certificate request.
> > What you are about to enter is what is called a Distinguished Name
> > or a DN.
> > There are quite a few fields but you can leave some blank
> > For some fields there will be a default value,
> > If you enter '.', the field will be left blank.
> > -
> > Country Name (2 letter code) [AU]:State or Province Name (full name)
> > [Some-State]:Locality Name (eg, city) []:Organization Name (eg,
> > company) [Internet Widgits Pty Ltd]:Organizational Unit Name (eg,
> > section) []:Common Name (eg, YOUR name) []:Email Address []:
> > Please enter the following 'extra' attributes
> > to be sent with your certificate request
> >> A challenge password []:An optional company name []:Using
> >> configuration from /usr/lib/ssl/openssl.cnf
> >> ./demoCA/serial: No such file or directory
> >> error while loading serial number
> > 11733:error:02001002:system library:fopen:No such file or
> > directory:bss_file.c:352:fopen('./demoCA/serial','r')
> > 11733:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
> > Failed to do sign certificate
>
> I think the 6 last lines are important and i search for a "serial"
> file, but i doesn't exist. Are there other users with this problem?
> How can i solve this problem?
>
> Mfg
> Julian
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS: Certificate creation doesn't work (Debian)
ok, i already tried to fix the script but didn't tried your hint.
i've put some extra "echo 00 > serial" into CA.certs, because the file
was delete during running the script.
everthing is fine now :-)
thanks!
Am 15.12.2007 um 22:55 schrieb ikpirhu last:
you have to look at certs.sh and modify the paths in that file.
aswell the openssl.cnf file.
its a kindda workaround but i dont have a better way.
or you can
echo 00 > serial
On 15/12/2007, Julian Stöver <[EMAIL PROTECTED]> wrote:
Hi!
I'm using Freeradius 1.1.3 under Debian Etch! I want to configure
Freeradius with EAP-TLS in my network but there some problems with the
certficate creation.
I get this message when i run the file " certs.sh" in the "docs/
freeradius/examples/" directory:
> ##
> create private key
> name : name-root
> CA.pl -newcert
> ##
>
> Generating a 1024 bit RSA private key
> .++
> ++
> writing new private key to ' newreq.pem'
> -
> You are about to be asked to enter information that will be
> incorporated
> into your certificate request.
> What you are about to enter is what is called a Distinguished Name
> or a DN.
> There are quite a few fields but you can leave some blank
> For some fields there will be a default value,
> If you enter '.', the field will be left blank.
> -
> Country Name (2 letter code) [AU]:State or Province Name (full name)
> [Some-State]:Locality Name (eg, city) []:Organization Name (eg,
> company) [Internet Widgits Pty Ltd]:Organizational Unit Name (eg,
> section) []:Common Name (eg, YOUR name) []:Email Address []:
> ##
> create CA
> use just created 'newreq.pem' private key as filename
> CA.pl -newca
> ##
>
> CA certificate filename (or enter to create)
>
> ##
> exporting ROOT CA
> CA.pl -newreq
> CA.pl -signreq
> openssl pkcs12 -export -in demoCA/cacert.pem -inkey
newreq.pem -
> out root.pem
> openssl pkcs12 -in root.cer -out root.pem
> ##
>
> MAC verified OK
>
> ##
> creating client certificate
> name : name-clt
> client certificate stored as cert-clt.pem
> CA.pl -newreq
> CA.pl -signreq
> ##
>
> Generating a 1024 bit RSA private key
> ..++
> .++
> writing new private key to 'newreq.pem'
> -
> You are about to be asked to enter information that will be
> incorporated
> into your certificate request.
> What you are about to enter is what is called a Distinguished Name
> or a DN.
> There are quite a few fields but you can leave some blank
> For some fields there will be a default value,
> If you enter '.', the field will be left blank.
> -
> Country Name (2 letter code) [AU]:State or Province Name (full name)
> [Some-State]:Locality Name (eg, city) []:Organization Name (eg,
> company) [Internet Widgits Pty Ltd]:Organizational Unit Name (eg,
> section) []:Common Name (eg, YOUR name) []:Email Address []:
> Please enter the following 'extra' attributes
> to be sent with your certificate request
>> A challenge password []:An optional company name []:Using
>> configuration from /usr/lib/ssl/openssl.cnf
>> ./demoCA/serial: No such file or directory
>> error while loading serial number
> 11733:error:02001002:system library:fopen:No such file or
> directory:bss_file.c:352:fopen('./demoCA/serial','r')
> 11733:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:
354:
> Failed to do sign certificate
I think the 6 last lines are important and i search for a "serial"
file, but i doesn't exist. Are there other users with this problem?
How can i solve this problem?
Mfg
Julian
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
