John, I am confused. I will be grateful if you could specify the sequence of commands to be run after "make destroycerts".
Note that :: a) Running JUST "make client" generates "client.pem" and "ca.pem", but no "server.pem". b) Running JUST "make" generates "server.pem" and "ca.pem", but no "client.pem". On Tue, Jan 8, 2013 at 1:44 AM, John Dennis <jden...@redhat.com> wrote: > On 01/07/2013 02:41 PM, Ajay Garg wrote: > >> Upon restarting, it shows a "missing server.pem" error. >> I reckon that we need to run "make server" too at some point of time (so >> that "server.pem" gets generated after "make destroycerts"). >> > > make destroycerts should have removed all the pem files and keys. After > running make again it will generate all new files. client has a dependency > on ca and server files so it should have created a new ca, new server key > and cert, a new client cert. Did it? > > Just to be clear, your client needs to trust the CA that signed your > server cert and the server needs to trust the CA that signed your client > cert. Typically those are located on two different machines. Make sure > those line up or you're doomed. It's not clear to me which machines you're > running these commands on and where you're copying the resulting files, but > that's critical to get right. You can use the same CA to sign both the > server cert and the client cert, but that's not a requirement, it just > helps simplify the deployment a tad bit. > > > HOWEVER, I am now confused which "ca.pem" to consider, the one generated >> via "make server", or the one generated via "make client"? >> > > Argh... you really need to be much more clear with what you're doing. If > you're running the cert creation commands on different machines and leaving > the results on that machine this will never work. > > Make sure you understand the RELATIONSHIP BETWEEN A CERTIFICATE AND IT'S > SIGNER (issuing CA) and how that translates to the configuration parameters > for each software component (see above). > > > -- > John Dennis <jden...@redhat.com> > > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > -- Regards, Ajay
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html