hello, For the past week, I am trying to get information to setup a sceure way for my obsd(3.8)AP <---> XP. I find the following document:
http://www50.brinkster.com/dachee/OpenVPN.htm Is there anyone try this out successfully ? As I was stopped at the OpenSSL CA & Certificates. The error is like this =========================================================== openssl req -new -x509 -keyout private/CA_key.pem -out CA_cert.pem -days 9125 Error Loading extension section CA_extensions 12446:error:2207C082:X509 V3 routines:DO_EXT_CONF:unknown extension name:/usr/src/lib/libssl/src/crypto/x509v3/v3_conf.c:123: 12446:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in extension:/usr/src/lib/libssl/src/crypto/x509v3/v3_conf.c:92:name=default_days, value=9125 ============================================================ The openssl.cnf is ----------------------------------------------- [ ca ] # Default directives for ca command default_ca =CA_default # reference to a new section name [ CA_default ] # Default directives for the ca command # referred from [ ca ] section dir =/etc/ssl # openssl working directory crl_dir =$dir/crl # directory for certificate revoke file database =$dir/index.txt # index file for every issued certificate new_certs_dir =$dir/certs # where copies of each certificate is stored. # each copy is identified as nn.pem # nn corresponds with the index number in index.txt certificate =$dir/CA_cert.pem # Name of the Certificate Authority¡¦s Certificate # File is used in signing or revoking a certificate serial =$dir/serial # The serial number to use for the next certificate # Same as ¡¥serialfile¡¦ option and serials text. crl =$dir/crl/crl.pem # File that contains the list of revoked certificates. private_key =$dir/private/CA_key.pem # Private key of the Certificate Authority RANDFILE =$dir/private/.rand # Private random number file default_days =9125 # Days a signed cert is valid default_crl_days =30 # Days before the next certificate revocation list default_md =md5 # Message digest algorithm- md5, sh1 or mdc2 unique_subject =yes # All certificates must have a unique, distinguished name policy =policy_any # Reference section for policy enforced when signing a request x509_extensions =user_extensions # reference section when ca command signs certificate [ policy_any ] # Default directives while signing a request # Referenced from [ CA_default ] section organizationName =match # organizationName must match CA_cert organizationalUnitName =optional # certificate does not have to have organizationalUnitName commonName =supplied # certificate must have commonName but is supplied by user [ req ] # Default directives for the req command # (Public Key is contained in the certificate request) default_bits =2048 default_keyfile =privkey.pem # default key file location but ¡Vkeyout command overrides distinguished_name =req_distinguished_name # Reference section for assembling the distinguished name x509_extensions =CA_extensions # Reference section when req & ¡Vx509 commands are invoked [ req_distinguished_name ] # Default directives for the req command # referenced from [ req ] section # Presents user prompts to assemble the distinguish name organizationName =Organization Name (must match CA) organizationName_default=ORGNAME # REPLACE VALUE AS PROMPT DEFAULT FOR YOUR ORG organizationalUnitName =Location Name commonName =Common User or Org Name # These two values above can be changed but not required. # their values will appear as prompts when creating certs/keys. # Max characters in common name. commonName_max =64 [ user_extensions ] # default directives when ca command signs a certificate # referenced from [ CA_default ] basicConstraints =CA:FALSE # The certificate is not allowed to sign other objects [ CA_extensions ] # default directives for req & ¡Vx509 command # referenced from [ req ] section # added extensions when request creates self signed certificate basicConstraints =CA:TRUE # Certificate is allowed to sign other new certificates. default_days =9125 # Days a self sign cert is valid. If not used, the default # of 30 days may be applied and VPN clients will not be able # to connect after it expires. [ server ] # Optional directives for ca & ¡Vextensions server commands # Overrides [ user_extensions ] section normally referenced # by the ca command alone. basicConstraints =CA:FALSE nsCertType =server # signing a server certificate requires this extension to # prevent man in the middle attacks. Allows OpenVPN clients # to use ns-cert-type server in OpenVPN configuration file. ----------------------------------------------- Thanks clarence _______________________________________ 7Q'Y.I&,(l7s email 3q*>!H $U8| Yahoo! Messenger http://messenger.yahoo.com.hk
