Find the answer to your Linux question:
Results 1 to 4 of 4
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    advanced help with OpenSSL

    hello all,

    i am deploying freeradius 2.0.5 on SUSE 10.3, and i use openSSL 0.9.8e.

    i intend to use this chain of certifiction with:

    1 - CA (self-signed)

    2 - Server (signed by the CA cert, normal)

    3 - Clients (signed by the Server instead of the CA. There is a good reason of this)

    i have already clients certicates signed by the CA and they are ok, when i use them in eap-tls authentication, and authentication won't success when i do eap-peap.

    # Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS

    I tried mysel to create corrects certificates allowed to sign clients Certificates, but i am a kind of rookie on Linux. windows says for the client cert the folowing:

    "This certificate is not valide cause one of the Certifiction Authority in the path of certification sems not to be alowed to de liver certificates, or this certificate cannot be used asfinal entity certificate"

    OpenSSL sounds like chinese (or english ) for me, so I need help

    All my client will be on windows xp sp2, so i will need these extensions too:

    #for the clients certs
    [ xpclient_ext]
    extendedKeyUsage =

    # For the Servers certs
    [ xpserver_ext]
    extendedKeyUsage =

    thanx a lot for helping

  2. #2
    i need help from OpenSSL Guru's please!


  3. #3
    S.O.S, mayday mayday!!

  4. $spacer_open
  5. #4
    Linux Engineer Thrillhouse's Avatar
    Join Date
    Jun 2006
    Arlington, VA, USA
    OK, this may or may not be your problem but I don't think you can just have the server sign certificates issued by the root CA. It needs to be its own intermediate or subordinate CA (to the root) and you need to use it to issue certificates to the clients. Just issuing a certificate to clients from the root CA and using the server to sign them won't work because in the eyes of the root CA, the certificate issued to the server is no different than the certificate issued to a client. You're expecting the cert issued to the server to somehow hold more power (the power to sign client certs) than those issued to the client when they are really no different.

    The error message you are receiving seems to jive with this reasoning. The client certificates are being verified against a chain of trust. You want your chain of trust to start with the subordinate CA (the server) and bump up to the root CA. It's realizing that your server is not authorized to sign certificates so it's stopping right there.

    Hopefully, that at least gives you some ideas. Google "certificate authority chaining" and see if that helps. Good luck.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts