-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sergio wrote:
| I think so and you're right. Signing a client cert with a server cert is | inefficient and all my problems would solve itself if radius has ocsp | support. The missing support for OCSP is not your problem. Your problem is the broken certificate hierarchy. You should not sign client certificates with a server certificate. You should sign client certificates with a CA certificate. That CA certificate may or may not be identical with that CA that signed your server certificate. | If i sign all the certs with ca private key everything works ok | but people at freeradius mailing list are insisting on the fact that | default configuration works. Do I get you right: The people on the freeradius mailing list insist on client certs should be signed by the server certificate ? That is hard for me to believe. It seems here is a mayor misunderstanding. | Also, if i put a both.pem file with server | cert and ca cert and put both.pem into CA_file, works. In the CA_file you put all (CA) certificates that issue certificates you may trust. If the server certificate issues client certificates it belongs there. But as I mentioned: That is a sign of a terrible broken concept. | But because of | this, i think i'd have problems to check the crl because the hash value | of CA_file isn't ca file. Is it true? ?? CA_file (or whatever this config option is named) contains a list of all trusted CA certificates. This file is especially needed on the server if you use client authentication: It contains the list of CA names the server sends to the client to show which CAs it accepts (at least in SSL/TLS) There may be another option, called CA_dir (or something like that). It contains every CA certificate in a separate file and optionally all CRLs to use. You run c_rehash on this directory to create special links OpenSSL can use to find CA certificates and their CRLs... These links contain a 8 byte hash value and a extension to differentiate between CA files and CRL files. This 8 byte hash is not calculated on the file, but on the subject DN. So is should be quite clear that every CA file in this directory should contain only one certificate. | Last question :) | how i can to know what's my openssl.cnf file? I have | /etc/ssl/openssl.cnf, /usr/local/ssl and one more which i've forgotten. strings `which openssl` | grep openssl.cnf should show the default configuration file your openssl version. You can always overwrite this with the -config option. | During this month, i've been using -config option with "openssl ca" | command because editing above files doesn't take effect. If in doubt, set the -config option. Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIm4L32iGqZUF3qPYRAnQcAJ4wySVZVOEWH1lFbZIPejQmnbd8iQCghmcj +JFEgQWet/KhV4IAeDFn+LU= =fpp+ -----END PGP SIGNATURE----- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
