Re: Certificate creation????
This is a discussion on Re: Certificate creation???? within the FreeRADIUS Users forums, part of the Networking and Network Related category; Hi Andreas, Had the same problem recently - it's due to the -next_serial option being unsupported in your version of ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-01-2005
|
|||
|
|||
Re: Certificate creation????
Hi Andreas,
Had the same problem recently - it's due to the -next_serial option being unsupported in your version of OpenSSL but the CA.pl script requiring it! The -next_serial option was introduced in OpenSSL version 0.9.7e : Changes between 0.9.7d and 0.9.7e [XX xxx XXXX] - *) + *) Reduce the chances of duplicate issuer name and serial numbers (in + violation of RFC3280) using the OpenSSL certificate creation utilities. + This is done by creating a random 64 bit value for the initial serial + number when a serial number file is created or when a self signed + certificate is created using 'openssl req -x509'. The initial serial + number file is created using 'openssl x509 -next_serial' in CA.pl + rather than being initialized to 1. + [Steve Henson] I'm had installed 0.9.7g without removing an existing version of openssl (0.9.7d). I don't know if this is your problem but I would try removing all versions of openSSL and reinstalling 0.9.7g - everything should work when the CA.pl script and the openssl versions are 'in-line' Hope this helps Andy Street Andreas Korber wrote: >Hi, >What i am doing wrong? The creation of my certificates for EAP/TLS with >CA.all or CA.certs always end with an message like this: > >----- >Country Name (2 letter code) [AU]:State or Province Name (full name) >[Some-State]:Locality Name (eg, city) []:Organization Name (eg, company) >[Internet Widgits Pty Ltd]:Organizational Unit Name (eg, section) []:Common >Name (eg, YOUR name) []:Email Address []: >Please enter the following 'extra' attributes >to be sent with your certificate request >A challenge password []:An optional company name []:Using configuration from >/etc/ssl/openssl.cnf >./demoCA/serial: No such file or directory >error while loading serial number >3164:error:02001002:system library:fopen:No such file or >directory:bss_file.c:276:fopen('./demoCA/serial','r') >3164:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:278: >Failed to do sign certificate >radius:/usr/local/etc/raddb/certs # > > >So i looked for the serial file. But it dosnīt exist. I think because of an >earlier message: > >CA certificate filename (or enter to create) >unknown option -next_serial >usage: x509 args > -inform arg - input format - default PEM (one of DER, NET or PEM) > -outform arg - output format - default PEM (one of DER, NET or PEM) > -keyform arg - private key format - default PEM > -CAform arg - CA format - default PEM > -CAkeyform arg - CA key format - default PEM > -in arg - input file - default stdin > -out arg - output file - default stdout > -passin arg - private key password source > -serial - print serial number value > -hash - print hash value > -subject - print subject DN > -issuer - print issuer DN > -email - print email address(es) > -startdate - notBefore field > -enddate - notAfter field > -purpose - print out certificate purposes > -dates - both Before and After dates > -modulus - print the RSA key modulus > -pubkey - output the public key > -fingerprint - print the certificate fingerprint > -alias - output certificate alias > -noout - no certificate output > -ocspid - print OCSP hash values for the subject name and public >key > -trustout - output a "trusted" certificate > -clrtrust - clear all trusted purposes > -clrreject - clear all rejected purposes > -addtrust arg - trust certificate for a given purpose > -addreject arg - reject certificate for a given purpose > -setalias arg - set certificate alias > -days arg - How long till expiry of a signed certificate - def 30 >days > -checkend arg - check whether the cert expires in the next arg seconds > exit 1 if so, 0 if not > -signkey arg - self sign cert with arg > -x509toreq - output a certification request object > -req - input is a certificate request, sign and output. > -CA arg - set the CA certificate, must be PEM format. > -CAkey arg - set the CA key, must be PEM format > missing, it is assumed to be in the CA file. > -CAcreateserial - create serial number file if it does not exist > -CAserial arg - serial file > -set_serial - serial number to use > -text - print the certificate in text form > -C - print out C code forms > -md2/-md5/-sha1/-mdc2 - digest to use > -extfile - configuration file with X509V3 extensions to add > -extensions - section from config file with X509V3 extensions to add > -clrext - delete extensions before signing and input certificate > -nameopt arg - various certificate name options > -engine e - use engine e, possibly a hardware device. > -certopt arg - various certificate text options > > > > > >Can anyone help me plaese?? > > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 
|
Linear Mode
