Some OpenSSL certificate and key questions

Mon, 01 Nov 2004 23:46:30 -0800 

Hi,

I am a newbie at using openssl and facing numerous problems right now. I am using OpenSSL, FreeRADIUS Server and a DOT1X Supplicant. Basically trying to get the Supplicant to authenticate to the FreeRADIUS Server using EAP-TLS.

I used a script (CA.All) to generate the three certificates for root, server and the supplicant. Now here is the problem.

If I include "extensions" (extended key usage field) in my certificates (Client Authenticatio/Server Authentication), my Client always (Supplicant) fails in the following call in the file s3_clnt.c:

ssl3_get_server_certificate()
|
------> verify_cert_chain()
         |
         -------> check_chain_purpose()
                   |
                   ------->X509_check_purpose()
                            |
                            -------> ku_reject()

Basically, the error that is returned here is X509_V_ERR_INVALID_PURPOSE. I explored till the very lowest level and found out that field x->ex_xkusage is set 0x00 EVEN THOUGH the certificate does have "extension" enabled in it.

On the other hand when I generate all the certificates without the flag "extension", I do not see this error. But then, when the Client does finally send its own certificate to the Server, the Server complains of BAD SIGNATURE.

I would relly really appreciate if someone can help me with this issue.

Following are my questions:

1- I noticed that the cerificates generated with the "extensions" (extended key usage filed) enabled, do not have other basic key usages like DigitalSignature, Key Rupidiation and Key Encipherment. I mean to say that either the certificate can have an extended key usage OR it can have Digital Signature, Key Rupidiation etc. Is this the correct behavior?

2- Is the extended key usage field necessary when we are trying to authenticate a Client to a Server in the 802.1X environment? OR we can authenticate a client to the Server without this extension field as well.

Thanks,
Bilal

_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar - get it now! http://toolbar.msn.com/

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to