hello,
For the past week, I am trying to get information to
setup a sceure way for my obsd(3.8)AP --- XP. I
find the following document:
http://www50.brinkster.com/dachee/OpenVPN.htm
Is there anyone try this out successfully ? As I was
stopped at the OpenSSL CA Certificates. The error
is like this
===
openssl req -new -x509 -keyout private/CA_key.pem -out
CA_cert.pem -days 9125
Error Loading extension section CA_extensions
12446:error:2207C082:X509 V3
routines:DO_EXT_CONF:unknown extension
name:/usr/src/lib/libssl/src/crypto/x509v3/v3_conf.c:123:
12446:error:2206B080:X509 V3
routines:X509V3_EXT_conf:error in
extension:/usr/src/lib/libssl/src/crypto/x509v3/v3_conf.c:92:name=default_days,
value=9125
The openssl.cnf is
---
[ ca ]
# Default directives for ca command
default_ca=CA_default
# reference to a new section name
[ CA_default ]
# Default directives for the ca command
# referred from [ ca ] section
dir =/etc/ssl
# openssl working directory
crl_dir =$dir/crl
# directory for certificate revoke file
database =$dir/index.txt
# index file for every issued certificate
new_certs_dir =$dir/certs
# where copies of each certificate is stored.
# each copy is identified as nn.pem
# nn corresponds with the index number in index.txt
certificate =$dir/CA_cert.pem
# Name of the Certificate Authority#161;#166;s
Certificate
# File is used in signing or revoking a certificate
serial=$dir/serial
# The serial number to use for the next certificate
# Same as #161;#165;serialfile#161;#166; option
and serials text.
crl =$dir/crl/crl.pem
# File that contains the list of revoked certificates.
private_key =$dir/private/CA_key.pem
# Private key of the Certificate Authority
RANDFILE =$dir/private/.rand
# Private random number file
default_days =9125
# Days a signed cert is valid
default_crl_days =30
# Days before the next certificate revocation list
default_md=md5
# Message digest algorithm- md5, sh1 or mdc2
unique_subject=yes
# All certificates must have a unique, distinguished
name
policy=policy_any
# Reference section for policy enforced when signing a
request
x509_extensions =user_extensions
# reference section when ca command signs certificate
[ policy_any ]
# Default directives while signing a request
# Referenced from [ CA_default ] section
organizationName=match
# organizationName must match CA_cert
organizationalUnitName =optional
# certificate does not have to have
organizationalUnitName
commonName =supplied
# certificate must have commonName but is supplied by
user
[ req ]
# Default directives for the req command
# (Public Key is contained in the certificate request)
default_bits=2048
default_keyfile =privkey.pem
# default key file location but #161;Vkeyout command
overrides
distinguished_name =req_distinguished_name
# Reference section for assembling the distinguished
name
x509_extensions =CA_extensions
# Reference section when req #161;Vx509 commands
are invoked
[ req_distinguished_name ]
# Default directives for the req command
# referenced from [ req ] section
# Presents user prompts to assemble the distinguish
name
organizationName=Organization Name (must match
CA)
organizationName_default=ORGNAME
# REPLACE VALUE AS PROMPT DEFAULT FOR YOUR ORG
organizationalUnitName =Location Name
commonName =Common User or Org Name
# These two values above can be changed but not
required.
# their values will appear as prompts when creating
certs/keys.
# Max characters in common name.
commonName_max =64
[ user_extensions ]
# default directives when ca command signs a
certificate
# referenced from [ CA_default ]
basicConstraints=CA:FALSE
# The certificate is not allowed to sign other objects
[ CA_extensions ]
# default directives for req #161;Vx509 command
# referenced from [ req ] section
# added extensions when request creates self signed
certificate
basicConstraints=CA:TRUE
# Certificate is allowed to sign other new
certificates.
default_days =9125
# Days a self sign cert is valid. If not used, the
default
# of 30 days may be applied and VPN clients will not
be able
# to connect after it expires.
[ server ]
# Optional directives for ca #161;Vextensions
server commands
# Overrides [ user_extensions ] section normally
referenced
# by the ca command alone.
basicConstraints=CA:FALSE
nsCertType =server
# signing a server certificate requires this extension
to
# prevent man in the middle attacks. Allows OpenVPN
clients
# to use ns-cert-type server in OpenVPN configuration
file.
---
Thanks
clarence
