Find the answer to your Linux question:
Results 1 to 2 of 2
I am trying to generate keys for a RADIUS server using open SSL. I am following the howto here and I am using the following script to generate client certificates ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux User yourname3232's Avatar
    Join Date
    Aug 2005
    Location
    Pacific Northwest, USA
    Posts
    262

    OpenSSL certificate generation error


    I am trying to generate keys for a RADIUS server using open SSL. I am following the howto here
    and I am using the following script to generate client certificates ( the only one I get errors on )

    Code:
    #!/bin/sh
    SSL=/usr/local/openssl-certgen
    export PATH=${SSL}/bin/:${SSL}/ssl/misc:${PATH}
    export LD_LIBRARY_PATH=${SSL}/lib
    echo "*********************************************************************************"
    echo "Creating client private key and certificate"
    echo "When prompted enter the client name in the Common Name field. This is the same"
    echo " used as the Username in FreeRADIUS"
    echo "*********************************************************************************"
    echo
    # Request a new PKCS#10 certificate.
    # First, newreq.pem will be overwritten with the new certificate request
    openssl req -new -keyout newreq.pem -out newreq.pem -passin pass:whatever -passout pass:whatever
    # Sign the certificate request. The policy is defined in the openssl.cnf file.
    # The request generated in the previous step is specified with the -infiles option and
    # the output is in newcert.pem
    # The -extensions option is necessary to add the OID for the extended key for client authentication
    openssl ca -policy policy_anything -out newcert.pem -passin pass:whatever -key whatever -extensions xpclient_ext -extfile xpextensions -infiles newreq.pem
    # Create a PKCS#12 file from the new certificate and its private key found in newreq.pem
    # and place in file specified on the command line
    openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out $1.p12 -clcerts -passin pass:whatever -passout pass:whatever
    # parse the PKCS#12 file just created and produce a PEM format certificate and key in certclt.pem
    openssl pkcs12 -in $1.p12 -out $1.pem -passin pass:whatever -passout pass:whatever
    # Convert certificate from PEM format to DER format
    openssl x509 -inform PEM -outform DER -in $1.pem -out $1.der
    # clean up
    rm -rf newcert newreq.pem
    The error I get is as follows:
    Code:
    ..
            X509v3 extensions:
                X509v3 Extended Key Usage:
                TLS Web Client Authentication
    Certificate is to be certified until Sep 26 23:57:53 2007 GMT (365 days)
    Sign the certificate? [y/n]:y
    failed to update database
    TXT_DB error number 2
    No certificate matches private key
    17354:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:140:
    unable to load certificate
    17355:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE
    Registered GNU/Linux User #399198
    'Experience is something you don't get until just after you need it.' -Steven Wright

  2. #2
    Linux User yourname3232's Avatar
    Join Date
    Aug 2005
    Location
    Pacific Northwest, USA
    Posts
    262
    Hey, I figures it out, the xpextensions file needed to be in the openssl configuration directory. Movied it there, and no errors!
    Registered GNU/Linux User #399198
    'Experience is something you don't get until just after you need it.' -Steven Wright

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •