Certificate creation????
Hi, What i am doing wrong? The creation of my certificates for EAP/TLS with CA.all or CA.certs always end with an message like this: - Country Name (2 letter code) [AU]:State or Province Name (full name) [Some-State]:Locality Name (eg, city) []:Organization Name (eg, company) [Internet Widgits Pty Ltd]:Organizational Unit Name (eg, section) []:Common Name (eg, YOUR name) []:Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:An optional company name []:Using configuration from /etc/ssl/openssl.cnf ./demoCA/serial: No such file or directory error while loading serial number 3164:error:02001002:system library:fopen:No such file or directory:bss_file.c:276:fopen('./demoCA/serial','r') 3164:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:278: Failed to do sign certificate radius:/usr/local/etc/raddb/certs # So i looked for the serial file. But it dosn´t exist. I think because of an earlier message: CA certificate filename (or enter to create) unknown option -next_serial usage: x509 args -inform arg - input format - default PEM (one of DER, NET or PEM) -outform arg- output format - default PEM (one of DER, NET or PEM) -keyform arg- private key format - default PEM -CAform arg - CA format - default PEM -CAkeyform arg - CA key format - default PEM -in arg - input file - default stdin -out arg- output file - default stdout -passin arg - private key password source -serial - print serial number value -hash - print hash value -subject- print subject DN -issuer - print issuer DN -email - print email address(es) -startdate - notBefore field -enddate- notAfter field -purpose- print out certificate purposes -dates - both Before and After dates -modulus- print the RSA key modulus -pubkey - output the public key -fingerprint- print the certificate fingerprint -alias - output certificate alias -noout - no certificate output -ocspid - print OCSP hash values for the subject name and public key -trustout - output a "trusted" certificate -clrtrust - clear all trusted purposes -clrreject - clear all rejected purposes -addtrust arg - trust certificate for a given purpose -addreject arg - reject certificate for a given purpose -setalias arg - set certificate alias -days arg - How long till expiry of a signed certificate - def 30 days -checkend arg - check whether the cert expires in the next arg seconds exit 1 if so, 0 if not -signkey arg- self sign cert with arg -x509toreq - output a certification request object -req- input is a certificate request, sign and output. -CA arg - set the CA certificate, must be PEM format. -CAkey arg - set the CA key, must be PEM format missing, it is assumed to be in the CA file. -CAcreateserial - create serial number file if it does not exist -CAserial arg - serial file -set_serial - serial number to use -text - print the certificate in text form -C - print out C code forms -md2/-md5/-sha1/-mdc2 - digest to use -extfile- configuration file with X509V3 extensions to add -extensions - section from config file with X509V3 extensions to add -clrext - delete extensions before signing and input certificate -nameopt arg- various certificate name options -engine e - use engine e, possibly a hardware device. -certopt arg- various certificate text options Can anyone help me plaese?? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate creation????
"Andreas Korber" <[EMAIL PROTECTED]> wrote: > What i am doing wrong? The creation of my certificates for EAP/TLS with > CA.all or CA.certs always end with an message like this: It looks like the version of OpenSSL you have is different than the one the script is expecting. At this point, I suggest reading the OpenSSL documentation on how to create certificates. The CA.all & CA.certs scripts will help you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate creation????
Hi Andreas, Had the same problem recently - it's due to the -next_serial option being unsupported in your version of OpenSSL but the CA.pl script requiring it! The -next_serial option was introduced in OpenSSL version 0.9.7e : Changes between 0.9.7d and 0.9.7e [XX xxx ] - *) + *) Reduce the chances of duplicate issuer name and serial numbers (in + violation of RFC3280) using the OpenSSL certificate creation utilities. + This is done by creating a random 64 bit value for the initial serial + number when a serial number file is created or when a self signed + certificate is created using 'openssl req -x509'. The initial serial + number file is created using 'openssl x509 -next_serial' in CA.pl + rather than being initialized to 1. + [Steve Henson] I'm had installed 0.9.7g without removing an existing version of openssl (0.9.7d). I don't know if this is your problem but I would try removing all versions of openSSL and reinstalling 0.9.7g - everything should work when the CA.pl script and the openssl versions are 'in-line' Hope this helps Andy Street Andreas Korber wrote: Hi, What i am doing wrong? The creation of my certificates for EAP/TLS with CA.all or CA.certs always end with an message like this: - Country Name (2 letter code) [AU]:State or Province Name (full name) [Some-State]:Locality Name (eg, city) []:Organization Name (eg, company) [Internet Widgits Pty Ltd]:Organizational Unit Name (eg, section) []:Common Name (eg, YOUR name) []:Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:An optional company name []:Using configuration from /etc/ssl/openssl.cnf ./demoCA/serial: No such file or directory error while loading serial number 3164:error:02001002:system library:fopen:No such file or directory:bss_file.c:276:fopen('./demoCA/serial','r') 3164:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:278: Failed to do sign certificate radius:/usr/local/etc/raddb/certs # So i looked for the serial file. But it dosn´t exist. I think because of an earlier message: CA certificate filename (or enter to create) unknown option -next_serial usage: x509 args -inform arg - input format - default PEM (one of DER, NET or PEM) -outform arg- output format - default PEM (one of DER, NET or PEM) -keyform arg- private key format - default PEM -CAform arg - CA format - default PEM -CAkeyform arg - CA key format - default PEM -in arg - input file - default stdin -out arg- output file - default stdout -passin arg - private key password source -serial - print serial number value -hash - print hash value -subject- print subject DN -issuer - print issuer DN -email - print email address(es) -startdate - notBefore field -enddate- notAfter field -purpose- print out certificate purposes -dates - both Before and After dates -modulus- print the RSA key modulus -pubkey - output the public key -fingerprint- print the certificate fingerprint -alias - output certificate alias -noout - no certificate output -ocspid - print OCSP hash values for the subject name and public key -trustout - output a "trusted" certificate -clrtrust - clear all trusted purposes -clrreject - clear all rejected purposes -addtrust arg - trust certificate for a given purpose -addreject arg - reject certificate for a given purpose -setalias arg - set certificate alias -days arg - How long till expiry of a signed certificate - def 30 days -checkend arg - check whether the cert expires in the next arg seconds exit 1 if so, 0 if not -signkey arg- self sign cert with arg -x509toreq - output a certification request object -req- input is a certificate request, sign and output. -CA arg - set the CA certificate, must be PEM format. -CAkey arg - set the CA key, must be PEM format missing, it is assumed to be in the CA file. -CAcreateserial - create serial number file if it does not exist -CAserial arg - serial file -set_serial - serial number to use -text - print the certificate in text form -C - print out C code forms -md2/-md5/-sha1/-mdc2 - digest to use -extfile- configuration file with X509V3 extensions to add -extensions - section from config file with X509V3 extensions to add -clrext - delete extensions before signing and input certificate -nameopt arg- various certificate name options -engine e - use engine e, possibly a hardware device. -certopt arg- various certificate text options Can anyone help me plaese?? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS: Certificate creation doesn't work (Debian)
Hi! I'm using Freeradius 1.1.3 under Debian Etch! I want to configure Freeradius with EAP-TLS in my network but there some problems with the certficate creation. I get this message when i run the file "certs.sh" in the "docs/ freeradius/examples/" directory: ## create private key name : name-root CA.pl -newcert ## Generating a 1024 bit RSA private key .++ ++ writing new private key to 'newreq.pem' - You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [AU]:State or Province Name (full name) [Some-State]:Locality Name (eg, city) []:Organization Name (eg, company) [Internet Widgits Pty Ltd]:Organizational Unit Name (eg, section) []:Common Name (eg, YOUR name) []:Email Address []: ## create CA use just created 'newreq.pem' private key as filename CA.pl -newca ## CA certificate filename (or enter to create) ## exporting ROOT CA CA.pl -newreq CA.pl -signreq openssl pkcs12 -export -in demoCA/cacert.pem -inkey newreq.pem - out root.pem openssl pkcs12 -in root.cer -out root.pem ## MAC verified OK ## creating client certificate name : name-clt client certificate stored as cert-clt.pem CA.pl -newreq CA.pl -signreq ## Generating a 1024 bit RSA private key ..++ .++ writing new private key to 'newreq.pem' - You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [AU]:State or Province Name (full name) [Some-State]:Locality Name (eg, city) []:Organization Name (eg, company) [Internet Widgits Pty Ltd]:Organizational Unit Name (eg, section) []:Common Name (eg, YOUR name) []:Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:An optional company name []:Using configuration from /usr/lib/ssl/openssl.cnf ./demoCA/serial: No such file or directory error while loading serial number 11733:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('./demoCA/serial','r') 11733:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354: Failed to do sign certificate I think the 6 last lines are important and i search for a "serial" file, but i doesn't exist. Are there other users with this problem? How can i solve this problem? Mfg Julian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS: Certificate creation doesn't work (Debian)
you have to look at certs.sh and modify the paths in that file. aswell the openssl.cnf file. its a kindda workaround but i dont have a better way. or you can echo 00 > serial On 15/12/2007, Julian Stöver <[EMAIL PROTECTED]> wrote: > > Hi! > I'm using Freeradius 1.1.3 under Debian Etch! I want to configure > Freeradius with EAP-TLS in my network but there some problems with the > certficate creation. > > I get this message when i run the file "certs.sh" in the "docs/ > freeradius/examples/" directory: > > > > ## > > create private key > > name : name-root > > CA.pl -newcert > > ## > > > > Generating a 1024 bit RSA private key > > .++ > > ++ > > writing new private key to 'newreq.pem' > > - > > You are about to be asked to enter information that will be > > incorporated > > into your certificate request. > > What you are about to enter is what is called a Distinguished Name > > or a DN. > > There are quite a few fields but you can leave some blank > > For some fields there will be a default value, > > If you enter '.', the field will be left blank. > > - > > Country Name (2 letter code) [AU]:State or Province Name (full name) > > [Some-State]:Locality Name (eg, city) []:Organization Name (eg, > > company) [Internet Widgits Pty Ltd]:Organizational Unit Name (eg, > > section) []:Common Name (eg, YOUR name) []:Email Address []: > > ## > > create CA > > use just created 'newreq.pem' private key as filename > > CA.pl -newca > > ## > > > > CA certificate filename (or enter to create) > > > > ## > > exporting ROOT CA > > CA.pl -newreq > > CA.pl -signreq > > openssl pkcs12 -export -in demoCA/cacert.pem -inkey > newreq.pem - > > out root.pem > > openssl pkcs12 -in root.cer -out root.pem > > ## > > > > MAC verified OK > > > > ## > > creating client certificate > > name : name-clt > > client certificate stored as cert-clt.pem > > CA.pl -newreq > > CA.pl -signreq > > ## > > > > Generating a 1024 bit RSA private key > > ..++ > > .++ > > writing new private key to 'newreq.pem' > > - > > You are about to be asked to enter information that will be > > incorporated > > into your certificate request. > > What you are about to enter is what is called a Distinguished Name > > or a DN. > > There are quite a few fields but you can leave some blank > > For some fields there will be a default value, > > If you enter '.', the field will be left blank. > > - > > Country Name (2 letter code) [AU]:State or Province Name (full name) > > [Some-State]:Locality Name (eg, city) []:Organization Name (eg, > > company) [Internet Widgits Pty Ltd]:Organizational Unit Name (eg, > > section) []:Common Name (eg, YOUR name) []:Email Address []: > > Please enter the following 'extra' attributes > > to be sent with your certificate request > >> A challenge password []:An optional company name []:Using > >> configuration from /usr/lib/ssl/openssl.cnf > >> ./demoCA/serial: No such file or directory > >> error while loading serial number > > 11733:error:02001002:system library:fopen:No such file or > > directory:bss_file.c:352:fopen('./demoCA/serial','r') > > 11733:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354: > > Failed to do sign certificate > > I think the 6 last lines are important and i search for a "serial" > file, but i doesn't exist. Are there other users with this problem? > How can i solve this problem? > > Mfg > Julian > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS: Certificate creation doesn't work (Debian)
ok, i already tried to fix the script but didn't tried your hint. i've put some extra "echo 00 > serial" into CA.certs, because the file was delete during running the script. everthing is fine now :-) thanks! Am 15.12.2007 um 22:55 schrieb ikpirhu last: you have to look at certs.sh and modify the paths in that file. aswell the openssl.cnf file. its a kindda workaround but i dont have a better way. or you can echo 00 > serial On 15/12/2007, Julian Stöver <[EMAIL PROTECTED]> wrote: Hi! I'm using Freeradius 1.1.3 under Debian Etch! I want to configure Freeradius with EAP-TLS in my network but there some problems with the certficate creation. I get this message when i run the file " certs.sh" in the "docs/ freeradius/examples/" directory: > ## > create private key > name : name-root > CA.pl -newcert > ## > > Generating a 1024 bit RSA private key > .++ > ++ > writing new private key to ' newreq.pem' > - > You are about to be asked to enter information that will be > incorporated > into your certificate request. > What you are about to enter is what is called a Distinguished Name > or a DN. > There are quite a few fields but you can leave some blank > For some fields there will be a default value, > If you enter '.', the field will be left blank. > - > Country Name (2 letter code) [AU]:State or Province Name (full name) > [Some-State]:Locality Name (eg, city) []:Organization Name (eg, > company) [Internet Widgits Pty Ltd]:Organizational Unit Name (eg, > section) []:Common Name (eg, YOUR name) []:Email Address []: > ## > create CA > use just created 'newreq.pem' private key as filename > CA.pl -newca > ## > > CA certificate filename (or enter to create) > > ## > exporting ROOT CA > CA.pl -newreq > CA.pl -signreq > openssl pkcs12 -export -in demoCA/cacert.pem -inkey newreq.pem - > out root.pem > openssl pkcs12 -in root.cer -out root.pem > ## > > MAC verified OK > > ## > creating client certificate > name : name-clt > client certificate stored as cert-clt.pem > CA.pl -newreq > CA.pl -signreq > ## > > Generating a 1024 bit RSA private key > ..++ > .++ > writing new private key to 'newreq.pem' > - > You are about to be asked to enter information that will be > incorporated > into your certificate request. > What you are about to enter is what is called a Distinguished Name > or a DN. > There are quite a few fields but you can leave some blank > For some fields there will be a default value, > If you enter '.', the field will be left blank. > - > Country Name (2 letter code) [AU]:State or Province Name (full name) > [Some-State]:Locality Name (eg, city) []:Organization Name (eg, > company) [Internet Widgits Pty Ltd]:Organizational Unit Name (eg, > section) []:Common Name (eg, YOUR name) []:Email Address []: > Please enter the following 'extra' attributes > to be sent with your certificate request >> A challenge password []:An optional company name []:Using >> configuration from /usr/lib/ssl/openssl.cnf >> ./demoCA/serial: No such file or directory >> error while loading serial number > 11733:error:02001002:system library:fopen:No such file or > directory:bss_file.c:352:fopen('./demoCA/serial','r') > 11733:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c: 354: > Failed to do sign certificate I think the 6 last lines are important and i search for a "serial" file, but i doesn't exist. Are there other users with this problem? How can i solve this problem? Mfg Julian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html