certificate issue
When i run CA.all script to generate the certificates, all the certificate get generated except root.cer and get the below error message: + openssl pkcs12 -export -in demoCA/cacert.pem -inkey newreq.pem -out root.p12 -cacerts -passin 'pass:whatever' -passout 'pass:whatever' No certificate matches private key + openssl pkcs12 -in root.p12 -out root.pem -passin 'pass:whatever' -passout 'pass:whatever' 17703:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:150: + openssl x509 -inform PEM -outform DER -in root.pem -out root.der unable to load certificate 17704:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: TRUSTED CERTIFICATE + echo -e '' I deleted the newcert.pem and newreq.pem but still it didnt work. Did a fresh installation of openssl 0.9.8 but still get this error message and tried with different passin key and DN. can someone help me to resolve this issue. Thanks, Kartthik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: certificate issue
On 8/31/06, Kartthik [EMAIL PROTECTED] wrote: I ran the CA.all script, before it issues the 2nd certificate i get this error message. Surely i know someone should have faced this issue, could [...] Using configuration from /usr/local/openssl/ssl/openssl.cnf [...] failed to update database TXT_DB error number 2 I suspect the index.txt for the generated CA being not writeable/not present. On rechecking the CA.all script I find it a bit fragile with respect to local environments. As ist would be nice (judging from numerous reports about problems users encounter due to certificate issues) to provide a known (almost always) working set of generation tools, I'm contemplating a few improvements just now. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
certificate issue
I ran the CA.all script, before it issues the 2nd certificate i get this error message. Surely i know someone should have faced this issue, could you pls help me to resolve it. Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name []: + openssl ca -policy policy_anything -out newcert.pem -passin '' -key '' -extensions xpserver_ext -extfile xpextensions -infiles newreq.pem Using configuration from /usr/local/openssl/ssl/openssl.cnf DEBUG[load_index]: unique_subject = "yes" Check that the request matches the signature Signature ok Certificate Details: Serial Number: a1:cc:f7:86:19:ea:57:48 Validity Not Before: Aug 30 22:25:40 2006 GMT Not After : Aug 30 22:25:40 2007 GMT Subject: countryName = US stateOrProvinceName = localityName = organizationName = organizationalUnitName= commonName= X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication Certificate is to be certified until Aug 30 22:25:40 2007 GMT (365 days) Sign the certificate? [y/n]:y failed to update database TXT_DB error number 2 + openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out cert-srv.p12 -clcerts -passin 'pass:' -passout 'pass:' No certificate matches private key + openssl pkcs12 -in cert-srv.p12 -out cert-srv.pem -passin 'pass:' -passout 'pass:' 22665:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:140: + openssl x509 -inform PEM -outform DER -in cert-srv.pem -out cert-srv.der unable to load certificate 22666:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:642:Expecting: TRUSTED CERTIFICATE + echo -e '\n\t\t##\n' ## thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Certificate issue with TLS
Hi, I am still working on my problem and still haven't been able to find out a solution. This is my first experience with Freeradius and OpenSSL, hence my ignorance. In view of my experience with these two products over the last couple of days, I have a few more questions: 1- Is the use of .pem files mandatory for Private Key files that we configure our server with? I have tried setting up the server to use .der files but to no avail. In the file ssl_rsa.c on line 704, I am returned error during initializing the Freeradius because the file type of my private key file is NOT pem. And therefore the freeradius server never gets to start. I have pem_file_type set to no in eap.conf. Do I need to the same in some other file as well? 2- The particular version of SSL running on my Client does not support pem format. Now when my Freeradius server sends it a .pem file in the server handshake message, and my client tries to parse it out, I am returned an error: ERR_R_EXPECTING_AN_ASN1_SEQUENCE. Following is the program flow: ssl3_connect() | -- ssl3_get_server_certificate() | -- d2i_X509() | -- asn1_GetSequence() . . if (c-tag != V_ASN1_SEQUENCE) { c-error=ERR_R_EXPECTING_AN_ASN1_SEQUENCE; return(0); } . . Now, is it fair to assume that this error is occurring precisely because of the fact that my Client does not support .pem version of files? Thanks, Bilal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html