FreeRadius2 and selfsigned certificates

I have had FreeRadius2 and the 320 platform up for 4 months now using the
supplied certificates. I am now trying to move to self signed certificates
and am having problems. Can someone lead me in the right direction please?
My logs and other details are below.

--------------------
In my radius log when I try my new certificates with the 320 series I get
the following alternating until I put the pmp320 certs back on the server:

Mon Apr 4 15:06:38 2011 : Error: TLS Alert read:fatal:unknown CA
Mon Apr 4 15:06:38 2011 : Error: TLS_accept:failed in SSLv3 read client certificate A
Mon Apr 4 15:06:38 2011 : Error: rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
Mon Apr 4 15:06:38 2011 : Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails.

Mon Apr 4 15:10:29 2011 : Error: TLS Alert read:fatal:bad certificate
Mon Apr 4 15:10:29 2011 : Error: TLS_accept:failed in SSLv3 read client certificate A
Mon Apr 4 15:10:29 2011 : Error: rlm_eap: SSL error error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
Mon Apr 4 15:10:29 2011 : Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails.

-----------------
I made my certs by runing the make file in the /etc/raddb/certs directory
and editing the 3 .cnf files with my information. I ran ‘make’ and ‘make
client’. I installed the client.pem file onto the CSM.


-----------------
eaps.conf
320 certs:
private_key_password = PMP320DemoCertificate
private_key_file = ${certdir}/pmp320server_key.pem
certificate_file = ${certdir}/pmp320server_cert.pem
CA_file = ${certdir}/pmp320cacert.pem

selfsigned certs:
private_key_password = whatever #I did not change the default key with my tests
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem

If you create your own certificates you need to either 1) wait before you use them — usually 4 to 7 hours OR you can change the time on your PC back 6 hours and then create the certificates.
2) when creating your certificates, UNCHECK the “validate date” option.

I am not sure what you mean by

when creating your certificates, UNCHECK the “validate date” option.

I am using openssl and the make file in the /etc/raddb/certs folder on my linux box to generate the certificates. Could you please clarify? I am searching through the man pages as we speak to try to understand what you are saying.

Gilbert

It is now working for me. Below are some of the relevant configurations. I run /etc/raddb/certs/make after editing both the server.cnf and the ca.cnf files (shown below). As can be seen lower in my eap.conf file, I am using crt files. The make file does not make a ca.crt. To make ca.crt, pipe the output of the command ‘openssl x509 -text -in ca.pem’ which is also the same as ‘/etc/raddb/certs/make printca’

Now all you need to do is upload the ca.crt file to the Subscriber Radio. The problem I was having was that my certificate was to new. If you uncheck “Validate the date duration of CA certificate” listed below the certificates on the Subscriber Radio, you should avoid that problem. Otherwise, you may need to wait half a day or so to use your new certificates.

/etc/raddb/eap.conf

eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 md5 { } leap { } gtc { auth_type = PAP } tls { certdir = ${confdir}/certs cadir = ${confdir}/certs # Motorola Certificate #private_key_password = PMP320DemoCertificate #private_key_file = ${certdir}/pmp320server_key.pem #certificate_file = ${certdir}/pmp320server_cert.pem #CA_file = ${certdir}/pmp320cacert.pem # Self-Signed Certificate private_key_password = newlines private_key_file = ${certdir}/server.key certificate_file = ${certdir}/server.crt CA_file = ${cadir}/ca.crt dh_file = ${certdir}/dh random_file = ${certdir}/random cipher_list = “DEFAULT” make_cert_command = “${certdir}/bootstrap” cache { enable = no lifetime = 24 # hours max_entries = 255 } } ttls { default_eap_type = md5 copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = “inner-tunnel” } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = “inner-tunnel” } mschapv2 { } }

/etc/raddb/certs/ca.cnf (Cert is for 10 years minus a day or so because of leap years. Passwords and emails used have been changed to ‘xxxxxxxx’)

[ ca ] default_ca = CA_default [ CA_default ] dir = ./ certs = $dir crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir certificate = $dir/ca.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/ca.key RANDFILE = $dir/.rand name_opt = ca_default cert_opt = ca_default default_days = 3650 default_crl_days = 30 default_md = sha1 preserve = no policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] prompt = no distinguished_name = certificate_authority default_bits = 1024 input_password = xxxxxxxxx output_password = xxxxxxxxx x509_extensions = v3_ca [certificate_authority] countryName = US stateOrProvinceName = ARIZONA localityName = PHOENIX organizationName = Phoenix Internet emailAddress = xxxxxxxxxx commonName = “Phoenix Internet Radius Certificate Authority” [v3_ca] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid basicConstraints = CA:true

/etc/raddb/certs/server.cnf (Cert is for 10 years minus a day or so because of leap years. Passwords and emails used have been changed to ‘xxxxxxxx’)

[ ca ] default_ca = CA_default [ CA_default ] dir = ./ certs = $dir crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir certificate = $dir/server.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/server.key RANDFILE = $dir/.rand name_opt = ca_default cert_opt = ca_default default_days = 3650 default_crl_days = 30 default_md = sha1 preserve = no policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] prompt = no distinguished_name = server default_bits = 1024 input_password = xxxxxxxx output_password = xxxxxxxx [server] countryName = US stateOrProvinceName = ARIZONA localityName = PHOENIX organizationName = Phoenix Internet emailAddress = xxxxxxx commonName = “Phoenix Internet Radius Server Certificate”