Re: non valid client cert for EAP/TLS

2004-09-22 Thread Joe Matuscak 
On Wed, 22 Sep 2004, Lara Adianto wrote:

> I followed the instructions in the following howto on the net:
> http://www.freeradius.org/doc/EAPTLS.pdf

I found the certificate creation part of that howto to be sort of 
confusing. I think the key thing is that the certificates are normal other 
than wanting the extension for the OID. 

> CA cert:
> *

The CA cert looks OK to me. FWIW, I'd kick up the days on the lifetime.  
When the CA cert expires, all the other certs you've signed break too.


> Client cert:
> *
> /usr/local/openssl/bin/openssl req -new -keyout newreq.pem -out newreq.pem -days 730 
> -passin pass:whatever -passout pass:whatever 
> /usr/local/openssl/bin/openssl ca -policy policy_anything -out newcert.pem -passin 
> pass:whatever -key whatever -extensions xpclient_ext -extfile xpextensions -infiles 
> newreq.pem
> /usr/local/openssl/bin/openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out 
> cert-clt.p12 -clcerts -passin pass:whatever -passout pass:whatever

I'm not clear what he was trying to accomplish with the manipulations 
after this.  What I've done is use the pkcs12 file created at this point 
to install the cert on the Windows machine and that has worked for me. I'd 
say try copying cert-clt.p12 to your Windows system and use the MMC 
Certificate snap-in to load it. 


> Btw, when I installed the ca, it said that windows can't verify the
> integrity of the ca bec test.adianto.com can't be contacted. I chose to
> install the cert anyway, and the status is ok. So, prob that is not the
> source of the problem.

I think that is normal. 


Joe Matuscak
Rohrer Corporation
717 Seville Road
Wadsworth, Ohio 44281
(330)335-1541
[EMAIL PROTECTED]




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

non valid client cert for EAP/TLS

2004-09-22 Thread Lara Adianto 
Hi list,
 
I set up EAP/TLS & FreeRadius auth for windowsxp client, and currently hit the wall in the certification generation.
 
I followed the instructions in the following howto on the net:
http://www.freeradius.org/doc/EAPTLS.pdf
 
The certs are generated as follows:
 
CA cert:
*
rm -rf demoCA
openssl req -new -x509 -keyout newreq.pem -out newreq.pem -days 730 -passin pass:whatever -passout pass:whatever 
CA.sh -newca >/dev/null 
/usr/local/openssl/bin/openssl pkcs12 -export -in newreq.pem -out root.p12 -cacerts -passin pass:whatever -passout pass:whatever 
/usr/local/openssl/bin/openssl pkcs12 -in root.p12 -out root.pem -passin pass:whatever -passout pass:whatever 
/usr/local/openssl/bin/openssl x509 -inform PEM -outform DER -in root.pem -out root.der 
 
Client cert:
*
/usr/local/openssl/bin/openssl req -new -keyout newreq.pem -out newreq.pem -days 730 -passin pass:whatever -passout pass:whatever 
/usr/local/openssl/bin/openssl ca -policy policy_anything -out newcert.pem -passin pass:whatever -key whatever -extensions xpclient_ext -extfile xpextensions -infiles newreq.pem
/usr/local/openssl/bin/openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out cert-clt.p12 -clcerts -passin pass:whatever -passout pass:whatever
/usr/local/openssl/bin/openssl pkcs12 -in cert-clt.p12 -out cert-clt.pem -passin pass:whatever -passout pass:whatever 
/usr/local/openssl/bin/openssl x509 -inform PEM -outform DER -in cert-clt.pem -out cert-clt.der 
Then I transfered root.der and cert-clt.p12 to winxp and installed them, following the instructions in Ken Roser's howto.
 
The problem is that the client sert status showed: This certificate has an nonvalid digital signature. Attached is the ca cert and client cert (I don't bother with the server cert yet).
 
Btw, when I installed the ca, it said that windows can't verify the integrity of the ca bec test.adianto.com can't be contacted. I chose to install the cert anyway, and the status is ok. So, prob that is not the source of the problem.
 
What can cause the 'nonvalid digital signature' ? any suggestions how to solve ?
The openssl used is openssl-0.9.7d, installed in redhat linux.
 
Thanks,
lara La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit- Guy de Maupassant -
		Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.

ca_cert.cer
Description: ca_cert.cer


client_cert.cer
Description: client_cert.cer