> See scripts/CA.all Ran this, and it appears that everything worked right up until the end, when I got these errors:
Certificate is to be certified until Nov 20 23:34:06 2004 GMT (365 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2
+ openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out
cert-srv.p12 -clcerts -passin pass:whatever -passout pass:whatever
No certificate matches private key
+ openssl pkcs12 -in cert-srv.p12 -out cert-srv.pem -passin pass:whatever
-passout pass:whatever
23118:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too
long:asn1_lib.c:140:
+ openssl x509 -inform PEM -outform DER -in cert-srv.pem -out cert-srv.der
unable to load certificate
23119:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE
+ echo -e '\n\t\t##################\n'
##################
tino:/usr/local/ssl/certs#
Any idea what's happening? This is OpenSSL 0.9.7c.
-C
>
> > 2. I think I'm missing some understanding when it comes to the
> > differences between authentication protocols (pap, mschap, etc) and
> > authentication mechanisms (users file, smbpasswd, sql, pam, etc). My
> > ideal scenario is for TTLS to use PAM (which authenticates based on
> > md5 hashes in /etc/shadow),
>
> Huh? Why not just use 'System' authentication?
>
> > I have "DEFAULT Auth-Type := Pam" in my users file; do I need to do
> > anything further depending on the auth protocol I use "inside" the
> > ESP-TTLS tunnel (pap, chap, etc)?
>
> CHAP won't work with passwords from /etc/passwd. See the FAQ.
>
> > 3. I'm really, really in the dark when it comes to the key
> > distribution mechanism. with EAP-TTLS and WPA, what system actually
> > generates and distributes the WPA key? Does the radius server handle
> > that,
>
> Yes.
>
> > Is there a knob in the config I need to set up for this?
>
> No.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pgp00000.pgp
Description: PGP signature
