Find the answer to your Linux question:
Results 1 to 2 of 2
I am trying to generate keys for a RADIUS server using open SSL. I am following the howto here and I am using the following script to generate client certificates ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. 09-26-2006 #1
    yourname3232
    yourname3232 is offline
    Linux User yourname3232's Avatar
    Join Date
    Aug 2005
    Location
    Pacific Northwest, USA
    Posts
    262

    OpenSSL certificate generation error

    I am trying to generate keys for a RADIUS server using open SSL. I am following the howto here
    and I am using the following script to generate client certificates ( the only one I get errors on )

    Code:
    #!/bin/sh
SSL=/usr/local/openssl-certgen
export PATH=${SSL}/bin/:${SSL}/ssl/misc:${PATH}
export LD_LIBRARY_PATH=${SSL}/lib
echo "*********************************************************************************"
echo "Creating client private key and certificate"
echo "When prompted enter the client name in the Common Name field. This is the same"
echo " used as the Username in FreeRADIUS"
echo "*********************************************************************************"
echo
# Request a new PKCS#10 certificate.
# First, newreq.pem will be overwritten with the new certificate request
openssl req -new -keyout newreq.pem -out newreq.pem -passin pass:whatever -passout pass:whatever
# Sign the certificate request. The policy is defined in the openssl.cnf file.
# The request generated in the previous step is specified with the -infiles option and
# the output is in newcert.pem
# The -extensions option is necessary to add the OID for the extended key for client authentication
openssl ca -policy policy_anything -out newcert.pem -passin pass:whatever -key whatever -extensions xpclient_ext -extfile xpextensions -infiles newreq.pem
# Create a PKCS#12 file from the new certificate and its private key found in newreq.pem
# and place in file specified on the command line
openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out $1.p12 -clcerts -passin pass:whatever -passout pass:whatever
# parse the PKCS#12 file just created and produce a PEM format certificate and key in certclt.pem
openssl pkcs12 -in $1.p12 -out $1.pem -passin pass:whatever -passout pass:whatever
# Convert certificate from PEM format to DER format
openssl x509 -inform PEM -outform DER -in $1.pem -out $1.der
# clean up
rm -rf newcert newreq.pem
    The error I get is as follows:
    Code:
    ..
        X509v3 extensions:
            X509v3 Extended Key Usage:
            TLS Web Client Authentication
Certificate is to be certified until Sep 26 23:57:53 2007 GMT (365 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2
No certificate matches private key
17354:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:140:
unable to load certificate
17355:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE
    Registered GNU/Linux User #399198
    'Experience is something you don't get until just after you need it.' -Steven Wright
    Reply With Quote Reply With Quote
  2. 09-28-2006 #2
    yourname3232
    yourname3232 is offline
    Linux User yourname3232's Avatar
    Join Date
    Aug 2005
    Location
    Pacific Northwest, USA
    Posts
    262
    Hey, I figures it out, the xpextensions file needed to be in the openssl configuration directory. Movied it there, and no errors!
    Registered GNU/Linux User #399198
    'Experience is something you don't get until just after you need it.' -Steven Wright
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules