Re: [PacketFence-users] Packetfence PKI setup

Fri, 03 May 2024 03:58:35 -0700 


Hey Karl,

did you find anything out about your problem?

Am 24.04.24 um 16:53 schrieb Karl Peciulis via PacketFence-users:

140644003884032:error:0D0680A8:asn1 encoding 
routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1149:
140644003884032:error:0D07803A:asn1 encoding 
routines:asn1_item_embed_d2i:nested asn1 
error:../crypto/asn1/tasn_dec.c:309:Type=X509




To me that seems like some sort of OpenSSL error. Any ideas on where to 
look next?



Reading your message again I thought this could be related to problems I 
had using the PF PKI (the problems could arrise using any PKI, but they 
were pitfalls for me when trying the PF PKI for the first time).



When I generated a CA certificate using the PF PKI I found that it would 
not be accepted for EAP-TLS. Testing the certificates (CA and client 
certificates) using `openssl verify` I found that the CA hasn't been 
accepted and therefor the client certificate has been invalid.



I changed my setup like this: created a CA independent of packetfence 
using openssl and checked on that. Then created from the PF CA 
certificate a signing request that I signed using my openssl CA. I 
imported my new CA certificate into the packetfence PKI.



Then I had CA-certificate (openssl CA), intermediate certificate 
(packetfence PKI CA). These CA certificates then were accepted for PFs 
radius server (configuration/ssl certificates) and the client 
certificates worked for EAP-TLS.



If your scep error is openssl complaining about the certificate you 
might see a related error in a different place than me.



Also I had to use `openssl` often with the `-legacy` option to get it 
accept a cert/csr from my PF PKI on which I used RSA/SHA256, because I 
had errors using eliptic curve when I started my testings and thought it 
would be a wise idea to get back to defaults.



To get rid of the rests of your tests in the PKI section of PF I deleted 
all the tables related to pki in the mysql database multiple times to 
start over. Do not forget to restart the PF PKI after changes - no 
matter whether on the web interface or directly inside the database.


Chris

--
Packetfence Matrix Room
https://matrix.to/#/%23packetfence:matrix.org


_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users






















					Reply via email to