Re: problems with certificate chain

[Sergio]

Goetz Babin-Ebell escribió:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sergio wrote:
| Hi people,
Hello Sergio,

| client.pem are signed by
| server.pem, and server.pem are signed by ca.pem.

It is a bad bad idea to sign a client certificate with
a server certificate.
Usually server certificates don't have the extensions
to sign certificates but have extensions explicitly
signaling that they are not to be used to sign certificates.

Try to sign the client certs with the ca certificate.

Then check the freeradius configuration that the CA used
to verify client certificates is the CA certificate.

If you insist on an intermediate certificate between the
CA and the client certificates you must either configure
the server to also use the intermediate CA as a CA
or you must configure the clients to send the intermediate
back to the server.

Goetz

- --
DMCA: The greed of the few outweighs the freedom of the many
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFImiXp2iGqZUF3qPYRAtZWAJ94AfIAI3FVrIpgBCmloWl7ea4RFgCfRgV+
DwRAYGxBD//EitviXnMdAhA=
=NyUw
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]


Hi Goetz,

I think so and you're right. Signing a client cert with a server cert is 
inefficient and all my problems would solve itself if radius has ocsp 
support. If i sign all the certs with ca private key everything works ok 
but people at freeradius mailing list are insisting on the fact that 
default configuration works. Also, if i put a both.pem file with server 
cert and ca cert and put both.pem into CA_file, works. But because of 
this, i think i'd have problems to check the crl because the hash value 
of CA_file isn't ca file. Is it true?

Last question :)
how i can to know what's my openssl.cnf file? I have 
/etc/ssl/openssl.cnf, /usr/local/ssl and one more which i've forgotten. 
During this month, i've been using -config option with "openssl ca" 
command because editing above files doesn't take effect.

Thank you very much
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]