certificate issue

[Kartthik]

When i run CA.all script to generate the certificates, all the certificate get generated except root.cer and get the below error message:

+ openssl pkcs12 -export -in demoCA/cacert.pem -inkey newreq.pem -out root.p12 -cacerts -passin 'pass:whatever' -passout 'pass:whatever'
No certificate matches private key
+ openssl pkcs12 -in root.p12 -out root.pem -passin 'pass:whatever' -passout 'pass:whatever'
17703:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:150:
+ openssl x509 -inform PEM -outform DER -in root.pem -out root.der
unable to load certificate
17704:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: TRUSTED CERTIFICATE
+ echo -e ''

I deleted the newcert.pem and newreq.pem but still it didnt work.

Did a fresh installation of openssl 0.9.8 but still get this error message and tried with different passin key and DN. can someone help me to resolve this issue.

Thanks,
Kartthik
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: certificate issue

[K. Hoercher]

On 8/31/06, Kartthik [EMAIL PROTECTED] wrote:

I ran the CA.all script, before it issues the 2nd certificate i get this
error message. Surely i know someone should have faced this issue, could

[...]

Using configuration from /usr/local/openssl/ssl/openssl.cnf

[...]

failed to update database
TXT_DB error number 2


I suspect the index.txt for the generated CA being not writeable/not
present. On rechecking the CA.all script I find it a bit fragile with
respect to local environments. As ist would be nice (judging from
numerous reports about problems users encounter due to certificate
issues) to provide a known (almost always) working set of generation
tools, I'm contemplating a few improvements just now.

regards
K. Hoercher
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

certificate issue

[Kartthik]

I ran the CA.all script, before it issues the 2nd certificate i get this error message. Surely i know someone should have faced this issue, could you pls help me to resolve it.

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password :
An optional company name []:
+ openssl ca -policy policy_anything -out newcert.pem -passin '' -key '' -extensions xpserver_ext -extfile xpextensions -infiles newreq.pem
Using configuration from /usr/local/openssl/ssl/openssl.cnf
DEBUG[load_index]: unique_subject = "yes"
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
a1:cc:f7:86:19:ea:57:48
Validity
Not Before: Aug 30 22:25:40 2006 GMT
Not After : Aug 30 22:25:40 2007 GMT
Subject:
countryName   = US
stateOrProvinceName   = 
localityName  = 
organizationName  = 
organizationalUnitName= 
commonName= 
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication
Certificate is to be certified until Aug 30 22:25:40 2007 GMT (365 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2
+ openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out cert-srv.p12 -clcerts -passin 'pass:' -passout 'pass:'
No certificate matches private key
+ openssl pkcs12 -in cert-srv.p12 -out cert-srv.pem -passin 'pass:' -passout 'pass:'
22665:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:140:
+ openssl x509 -inform PEM -outform DER -in cert-srv.pem -out cert-srv.der
unable to load certificate
22666:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:642:Expecting: TRUSTED CERTIFICATE
+ echo -e '\n\t\t##\n'

##

thanks in advance.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Certificate issue with TLS

[Bilal Ahmed]

Hi,

I am still working on my problem and still haven't been able to find out
a solution. This is my first experience with Freeradius and OpenSSL,
hence my ignorance.
 
In view of my experience with these two products over the last couple of
days, I have a few more questions:

1- Is the use of .pem files mandatory for Private Key files that we
configure our server with? I have tried setting up the server to use
.der files but to no avail. In the file ssl_rsa.c on line 704, I am
returned error during initializing the Freeradius because the file type
of my private key file is NOT pem. And therefore the freeradius server
never gets to start.

I have pem_file_type set to no in eap.conf. Do I need to the same in
some other file as well?

2- The particular version of SSL running on my Client does not support
pem format. Now when my Freeradius server sends it a .pem file in the
server handshake message, and my client tries to parse it out, I am
returned an error: ERR_R_EXPECTING_AN_ASN1_SEQUENCE. Following is the
program flow:

ssl3_connect()
|
-- ssl3_get_server_certificate()
|
-- d2i_X509()
  |
-- asn1_GetSequence()
.
.
if (c-tag != V_ASN1_SEQUENCE)
{
c-error=ERR_R_EXPECTING_AN_ASN1_SEQUENCE;
return(0);
}
.
.


Now, is it fair to assume that this error is occurring precisely because
of the fact that my Client does not support .pem version of files?

Thanks,
Bilal

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html