Make the server certificate from Thawte
Hello. I want to use the certificate from Thawte. First of all I tried to use free SSL certificate from Thawte. I received 3 certificates in PEM-format: my Thawte trial SSL certificate, Thawte Trial Secure Server Intermediate CA and Thawte Test CA Root certificate in format: -BEGIN CERTIFICATE- text here -END CERTIFICATE- I made .pem files from them with no new line in end of file. The eap.conf is: private_key_password = (is empty because no password in certificates) private_key_file = ${certdir}/trialThawte.pem certificate_file = ${certdir}/trialThawteCA.pem radiusd -X rlm_eap: SSL error error:0906D06C:PEM routines:PEM_read_bio:no start line rlm_eap_tls: Error reading private key file /etc/raddb/certs/trialThawte.pem rlm_eap: Failed to initialize type tls Tried to make .pem by following commands (use server.key, server.csr were inputted to make Thawte certificate; server.crt is received Thawte certificate): openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:1234 -passout pass:1234 unable to load private key 139734217189032:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:467: 139734217189032:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:476: openssl pkcs12 -in server.crt -out server.pem -passin pass:12345 -passout pass:12345 140259536533160:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1319: 140259536533160:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=PKCS12 I confused that: 1. no passwords in received Thawte certificates 2. Root CA and Web Server CA 3. different pem format is used in RADIUS and is received from Thawte What algorithm should be used to make valid to FreeRADIUS pem certificate files from these Thawte certificates? FreeRADIUS Version 2.1.7, for host x86_64-pc-linux-gnu -- Best Regards, Shildyakov Alexey Vladimirovich - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Make the server certificate from Thawte
Hi, I want to use the certificate from Thawte. First of all I tried to use free SSL certificate from Thawte. I received 3 certificates in PEM-format: my Thawte trial SSL certificate, Thawte Trial Secure Server Intermediate CA and Thawte Test CA Root certificate in format: -BEGIN CERTIFICATE- text here -END CERTIFICATE- I made .pem files from them with no new line in end of file. The eap.conf is: private_key_password = (is empty because no password in certificates) private_key_file = ${certdir}/trialThawte.pem certificate_file = ${certdir}/trialThawteCA.pem nope. for private key you need your private key - the one that you made before making the CSR for thawte for certificate file you need the trialThawte file then for CA file you need a file that contains the Server Intermediate CA and Thawte Test CA Root concatenated together 1. no passwords in received Thawte certificates if you use passwords for the private key then you will have one 3. different pem format is used in RADIUS and is received from Thawte no. FR uses PEM quite happily alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Make the server certificate from Thawte
nope. for private key you need your private key - the one that you made before making the CSR for thawte Yes. Thank you. I was confused because in default FreeRADIUS has ${raddbdir}/certs/cert-srv.pem value here. for certificate file you need the trialThawte file then for CA file you need a file that contains the Server Intermediate CA and Thawte Test CA Root concatenated together if you use passwords for the private key then you will have one Yes. It's true. Summing up, what the algorithm to configure certificate from Trusted CA: 1. cd /etc/raddb/certs 2. openssl genrsa –des3 –out server.key 2048. Remember the passphrase, you have been entered. 3. openssl req –new –key server.key –out server.csr. Write suitable X.509 attributes. 4. Upload server.csr to your CA (Thawte, Verisign, GeoTrust) 5. Receive SSL certificate, Secure Server Intermediate CA and CA Root certificate from Trusted CA. 6. Write received SSL certificate to file server.pem 7. Write received Secure Server Intermediate CA and CA Root certificates concatenated together to file ca.pem 8. Set the eap.conf tls section: certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = passphrase_you_entered_while_creating_server.key private_key_file = ${certdir}/server.key CA_file = ${cadir}/ca.pem Is it possible to add this instruction to certs/README to avoid this topic emerge again? -- Best Regards, Shildyakov Alexey Vladimirovich - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html