Artur Hecker wrote:
hi
Thanks to the EAP/TLS Howto, I was able to setup the radius server and get all the authentification I needed going.
Now the script, which creates the root certificate, generates root.pem with a lifetime of 30 days.
After that authentification doesn't work, OK. Last month I recreated everything. That's a pain...
> > - How can I extend them? Reuse them? What's the deal?
no reuse. you have to set another expriration date. take a look at the scripts.
Well, I didn't find any expiration date in my CA.root script. In openssl.cnf I have: default_days = 365 # how long to certify for default_crl_days= 365 These only seem to affect the 'user' certs - gives them one year lifetime.
Using the script in http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm
This is the script CA.root I am using.
---snipsnip---
#!/bin/sh/
SSL=/usr/local/openssl-certgen
export PATH=${SSL}/bin/:${SSL}/ssl/misc:${PATH}
export LD_LIBRARY_PATH=${SSL}/lib
# needed if you need to start from scratch otherwise the CA.pl -newca command doesn't copy the new
# private key into the CA directories
rm -rf demoCA
echo "*********************************************************************************"
echo "Creating self-signed private key and certificate"
echo "When prompted override the default value for the Common Name field"
echo "*********************************************************************************"
echo
# Generate a new self-signed certificate.
# After invocation, newreq.pem will contain a private key and certificate
# newreq.pem will be used in the next step
openssl req -new -x509 -keyout newreq.pem -out newreq.pem -passin pass:whatever -passout pass:whatever
echo "*********************************************************************************"
echo "Creating a new CA hierarchy (used later by the "ca" command) with the certificate"
echo "and private key created in the last step"
echo "*********************************************************************************"
echo
echo "newreq.pem" | CA.pl -newca >/dev/null
echo "*********************************************************************************"
echo "Creating ROOT CA"
echo "*********************************************************************************"
echo
# Create a PKCS#12 file, using the previously created CA certificate/key
# The certificate in demoCA/cacert.pem is the same as in newreq.pem. Instead of
# using "-in demoCA/cacert.pem" we could have used "-in newreq.pem" and then omitted
# the "-inkey newreq.pem" because newreq.pem contains both the private key and certificate
openssl pkcs12 -export -in demoCA/cacert.pem -inkey newreq.pem -out root.p12 -cacerts -passin pass:whatever -passout pass:whatever
# parse the PKCS#12 file just created and produce a PEM format certificate and key in root.pem
openssl pkcs12 -in root.p12 -out root.pem -passin pass:whatever -passout pass:whatever
# Convert root certificate from PEM format to DER format
openssl x509 -inform PEM -outform DER -in root.pem -out root.der
#Clean Up
rm -rf newreq.pem
---snipsnip---
This script creates my 'root.der' file, which I store on the wifi clients.
I have the second box, with software up and running.
But again, the certificates: - My first attempt - just copying them - didn't work. OK, just a try.
why? what exactly did you copy and what exactly did you certify?
- Second, since the certs are tied to hostname, I recreated them - guess what...
well, you have to look at what you are doing. are you sure that your certificates are tied to the host address? because mine are not. and i doubt that this is verified anyway. the server simply has a pair of keys and both are signed and one of them (the private) is encrypted. the posession of the decryption key enables the usage.
AFAIK I have three types of certs, which I need: filename location script-file root.pem radius-server:/etc/1x CA.root root.der user-host #created above - derived server.pem radius-server:/etc/1x CA.svr <radius-server> user.p12 user-host CA.clt <username>
So, server.pem has the hostname "in it"...
Rather than fixing the way I did it... what about showing me the right way to do it
Copying / modifying / creating the appropriate certs for a backup radius server.
ciao artur
As you can see, I am a bit lost there... Thanks a lot for your help!
Tom
-- Thomas Maenner E-Mail: mailto:[EMAIL PROTECTED]
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
