Re: Problem with creating certificate to use with FreeRADIUS
It sounds like you might need to add xpextensions to your server and client certificates since you are using windows. You need to create a file expextensions and you have to add extra arguments to your certificate requests. See http://www.linuxjournal.com/article/8095 starting around Listing 2. dtrinh wrote: I am testing EAP-TLS for wireless device and tried to create a certificate authority, and use it to sign a client server certificate using OpenSSL for Win32. However, the debug log from RADIUS shows that the certificate are bad. This is the command I used: ca.pl -newca - to create the CA then I generate a signing request for the server certificate: openssl req -new -keyout server_key.pem -out server_req.pem -config ./openssl.cfg then sign it: openssl ca -policy policy_anything -out server_cert.pem -infiles server_req.pem I do the same for the client certificate: However authentication was unsuccessful and FreeRADIUS log show that client certificate is bad: here is a segment of the log: rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal bad_certificate TLS Alert read:fatal:bad certificate TLS_accept:failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails. eaptls_process returned 13 rlm_eap: Freeing handler modcall[authenticate]: module eap returns reject for request 4 modcall: leaving group authenticate (returns reject) for request 4 auth: Failed to validate the user. Login incorrect: [Client/no User-Password attribute] (from client Radius port 1 cli 00-0B-6B-D9-7C-80) I can't figure out what is wrong. I know that the RADIUS configuration is good because I have a certificate set that I generate several months ago and it works. I included here the bad and good certificates: http://www.nabble.com/file/p19820435/goodCert.zip goodCert.zip http://www.nabble.com/file/p19820435/badCert.zip badCert.zip any help is greatly appreciate. -- View this message in context: http://www.nabble.com/Problem-with-creating-certificate-to-use-with-FreeRADIUS-tp19820435p20511224.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Problem with creating certificate to use with FreeRADIUS
I am testing EAP-TLS for wireless device and tried to create a certificate authority, and use it to sign a client server certificate using OpenSSL for Win32. However, the debug log from RADIUS shows that the certificate are bad. This is the command I used: ca.pl -newca - to create the CA then I generate a signing request for the server certificate: openssl req -new -keyout server_key.pem -out server_req.pem -config ./openssl.cfg then sign it: openssl ca -policy policy_anything -out server_cert.pem -infiles server_req.pem I do the same for the client certificate: However authentication was unsuccessful and FreeRADIUS log show that client certificate is bad: here is a segment of the log: rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal bad_certificate TLS Alert read:fatal:bad certificate TLS_accept:failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails. eaptls_process returned 13 rlm_eap: Freeing handler modcall[authenticate]: module eap returns reject for request 4 modcall: leaving group authenticate (returns reject) for request 4 auth: Failed to validate the user. Login incorrect: [Client/no User-Password attribute] (from client Radius port 1 cli 00-0B-6B-D9-7C-80) I can't figure out what is wrong. I know that the RADIUS configuration is good because I have a certificate set that I generate several months ago and it works. I included here the bad and good certificates: http://www.nabble.com/file/p19820435/goodCert.zip goodCert.zip http://www.nabble.com/file/p19820435/badCert.zip badCert.zip any help is greatly appreciate. -- View this message in context: http://www.nabble.com/Problem-with-creating-certificate-to-use-with-FreeRADIUS-tp19820435p19820435.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Problem in creating certificate
While creating RSA:1024 certificate,I got this error Command : openssl req -newkey rsa:1024 -sha1 -keyout c:\test\rootkey.pem -out c:\test\cert_ssl.pem Error : 3284:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:.\c rypto\conf\conf_lib.c:325:
RE: Problem in creating certificate
Hi, Check your PATH whether you included the openssl.cnf file, otherwise you include it with the option of -extfile path to your openssl.cnf. Hope it works Thanks, Bhaskar From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of KonarkSent: Thursday, January 12, 2006 3:47 PMTo: openssl-users@openssl.orgSubject: Problem in creating certificate While creating RSA:1024 certificate,I got this error Command : openssl req -newkey rsa:1024 -sha1 -keyout c:\test\rootkey.pem -out c:\test\cert_ssl.pem Error : 3284:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:.\c rypto\conf\conf_lib.c:325:
RE: Problem in creating certificate
Thanks to all. I got solution . It is the problem with configfile: I included config file using option config FILENAME option . Regards, konark *** This e-mail and attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient's) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it! -Original Message- From: owner-openssl-users@openssl.org [mailto:owner-openssl-users@openssl.org] On Behalf Of Vishnubhatla, Vijaya Bhaskar Sent: Thursday, January 12, 2006 4:42 PM To: openssl-users@openssl.org Subject: RE: Problem in creating certificate Hi, Check your PATH whether you included the openssl.cnf file, otherwise you include it with the option of -extfile path to your openssl.cnf. Hope it works Thanks, Bhaskar From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Konark Sent: Thursday, January 12, 2006 3:47 PM To: openssl-users@openssl.org Subject: Problem in creating certificate While creating RSA:1024 certificate,I got this error Command : openssl req -newkey rsa:1024 -sha1 -keyout c:\test\rootkey.pem -out c:\test\cert_ssl.pem Error : 3284:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:.\c rypto\conf\conf_lib.c:325:
