On 01/23/2013 01:53 PM, Stephan Manske wrote:
IMHO these patch
https://github.com/FreeRADIUS/freeradius-server/commit/2d3f119cd8d9e99028f968db1ee108eb6f05db09#raddb/certs/Makefile
with
+ca.key ca.pem: ca.cnf index.txt serial
makes ca.key dependant to the date of index.txt and serial
Both files are updated every time a new client cert is build. IMHO.
Good catch! Yes, every time you generate a client cert both the database
(index.txt) and the serial number file are updated. The database file
keeps a record of every cert issued by the CA. The serial file is used
so the CA knows the next serial number to use.
The cert generation only works once, the next client cert issue causes a
new CA key/cert to be generated.
But there is another problem as well. The client.cnf file embeds the
cert subject name. Apparently the openssl ca command will not update the
database if there already is a cert with the same subject, which there
will be unless you edit the client.cnf file. This causes the ca command
to fail. It doesn't matter if the cert with the duplicate subject has a
different serial number.
As for why in different circumstances you've seen openssl emit the error
about incomplete data my best guess is the client files might have be
corrupted when the ca command failed. If it were only a CA key change
issue you should have just gotten a bad signature verification failure.
HTH,
John
--
John Dennis <jden...@redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html