Hi
I tried to make self-signed certificates for testing with FreeRadius and
Radiator in combination with EAP/TLS and EAP/TTLS (and eventually PEAP).
With the radiator certificate example script and the scripts I saw on
the net for FreeRadius implementations I keep getting errors creating
the certificates. I tried this with both OpenSSL 0.9.7 and 0.9.8-dev and
tried as well FreeBSD as Debian Linux.
I use the following sequence to create a root certificate:
openssl req -new -x509 -keyout newreq.pem -out newreq.pem -days 730
-passin pass:whatever -passout pass:whatever
echo "newreq.pem" | /usr/local/ssl/misc/CA.pl -newca >/dev/null
openssl pkcs12 -export -in demoCA/cacert.pem -inkey newreq.pem -out
root.p12 -cacerts -passin pass:whatever -passout pass:whatever
openssl pkcs12 -in root.p12 -out root.pem -passin pass:whatever -passout
pass:whatever
openssl x509 -inform PEM -outform DER -in root.pem -out root.der
This works fine with 0.9.7, however with 0.9.8-dev the
"openssl pkcs12 -in root.p12 -out root.pem -passin pass:whatever
-passout pass:whatever"
fails with:
MAC verified OK
Error outputting keys and certificates
77995:error:06065064:digital envelope routines:EVP_DecryptFinal:bad
decrypt:evp_enc.c:430:
77995:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal
error:p12_decr.c:97:
77995:error:2306A075:PKCS12 routines:PKCS12_decrypt_d2i:pkcs12 pbe crypt
error:p12_decr.c:122:
Since it works with 0.9.7 and 0.9.8 is still in development I didn't
bother that much, however the experiment with 0.9.8-dev stopped here.
The next step would be the creation of the client certificate, according
to the example-scripts I found.
openssl req -new -keyout newreq.pem -out newreq.pem -days 730 -passin
pass:whatever -passout pass:whatever
openssl ca -policy policy_anything -out newcert.pem -passin
pass:whatever -key whatever -extensions xpclient_ext -extfile
xpextensions -infiles newreq.pem
After this second command (with 0.9.7) the openssl-binary exists with a
Segmentation fault... (under Linux, I remember when doing this under
FreeBSD openssl even dumped core.)
# openssl ca -policy policy_anything -out newcert.pem -passin
pass:whatever -key whatever -extensions xpclient_ext -extfile
xpextensions -infiles newreq.pem
Using configuration from /usr/local/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Feb 10 14:09:48 2003 GMT
Not After : Feb 10 14:09:48 2004 GMT
Subject:
countryName = NL
stateOrProvinceName = Here
organizationName = Organisation
commonName = paul
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Client Authentication
Certificate is to be certified until Feb 10 14:09:48 2004 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Segmentation fault
I guess there is something wrong in the command-sequence I used? I don't
know what all commands mean, I'm quite new to creating certificates with
OpenSSL. (BTW, Since the CA.pl script is used,
Any input on this is appreciated!
Are there any examples with more explanation about the commands issued
to openssl?
Thank you in advance,
Paul
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
- Re: Creating self-signed certificates Paul Dekkers
- Re: Creating self-signed certificates Paul Dekkers
