Hi team,
I am unable to establish peer authentication between the 2 users(user1 and
user2) using x509 certificates.It shows up an error "failed to get public
key".Somebody please help me to resolve this issue.
I am creating a root CA and 2 sub CA. Each sub CA is issuing certificates to
its user. Now i want to authenticate
user's of 2 sub CAs.
Topology:
CA
/ \
subCA1 subCA2
/ \
user1 user2
Details:
I m using RootCA which issues a certificate signed by its private
key(rootca.key) to subCA1(subca1cert.pem) and to subCA2(subca2cert.pem) and
has its own self signed certificate (rootcacert.pem) using openssl commands:
private key of RootCA -- openssl genrsa -out rootca.key 4096
RootCA certificate --openssl req -new -x509 -days 1826 -key rootca.key -out
rootcacert.pem
subCA1 private key -- openssl genrsa -out subca1.key 4096
subCA1 certificate request from RootCA -- openssl req -new -key subca1.key
-out subca1cert.pem
signed subCA1 certificate from RootCA -- openssl x509 -req -days 730 -in
subca1cert.pem -CA rootcacert.pem -CAkey rootca.key -set_serial 01 -out
subca1cert.pem
and similar openssl commands for generating private key and certificate of
subCA2 and getting it signed by the RootCA.
Further the subCA1 and subCA2 generated certificates and private keys for
user 1 (user1cert.pem & user1.key) and user2 (user2cert.pem & user2.key)
and signed them by using their own private keys(subca1.key and subca2.key).
openssl commands for generating cert for user1 from subCA1 and getting it
signed by subCA1's private key(subca1.key):
generating private key for user1 -- openssl genrsa -out user1.key 4096
generating cert request for user1 from subCA1-- openssl req -new -key
user1.key -out user1cert.pem
getting cert of user1 signed by subCA1 using its private key -- openssl
x509 -req -days 730 -in user1cert.pem -CA subca1cert.pem -CAkey subca1.key
-set_serial 01 -out user1cert.pem
and similar openssl commands for user2 for generating cert request, private
key and getting cert signed by subCA2 using its private key i.e subca2.key
Now, user1 and user2 are using these certificates for IKE authentication
using racoon2.
The user1 has their root cert in a file which contains rootCA and SubCA1.
The user2 has their root cert in a file which contains rootCA and SubCA2.
While authentication process user1/2 are sending only their' cert not full
cert chain.
Is this correct or i am missing something ?
Authentication is failing:
2010-07-09 12:00:24 [PROTO_ERR]: crypto_openssl.c:351:cb_check_cert():
unable to get local issuer certificate(20) at depth:0
SubjectName:/C=IN/ST=KARNATAKA/L=BANGALORE/O=ORACLE/OU=SVABU/CN=USER1/emailAddress=
deol.depin...@gmail.com
2010-07-09 12:00:24 [INTERNAL_ERR]:
crypto_openssl.c:306:eay_check_x509cert():
2010-07-09 12:00:24 [INTERNAL_ERR]: ike_conf.c:713:ikev2_public_key():
failed verifying certificate authrotiy of cert (/home/d/certs/user1cert.pem)
2010-07-09 12:00:24 [PROTO_ERR]: ike_conf.c:761:ikev2_public_key(): no
matching public key
2010-07-09 12:00:24 [INTERNAL_ERR]: ikev2_auth.c:448:ikev2_auth_verify():
1:10.76.91.60[500] - 10.76.91.59[500]:(nil):failed to get public key
2010-07-09 12:00:24 [PROTO_ERR]: ikev2_auth.c:615:ikev2_verify():
1:10.76.91.60[500] - 10.76.91.59[500]:0x81e1058:authentication failure
Please find configuration files for user1 and user2 in the attachment.
Regards,
Depinder
setval {
CERTDIR "/home/d/certs";
};
interface{
spmd { unix "/var/run/racoon2/spmif " ; };
spmd_password "/usr/local/racoon2/etc/racoon2/spmd.pwd" ;
ike {10.76.91.59 ; };
};
remote 59--60 {
acceptable_kmp { ikev2; };
ikev2 {
peers_ipaddr 10.76.91.60 ;
peers_id x509_subject "/home/d/certs/user2cert.pem" ;
my_id x509_subject "/home/d/certs/user1cert.pem" ;
kmp_enc_alg { aes192_cbc; };
kmp_prf_alg { hmac_md5; };
kmp_hash_alg { hmac_md5; };
kmp_dh_group { modp1024; };
kmp_auth_method { rsasig ; };
my_public_key x509pem "${CERTDIR}/user1cert.pem"
"${CERTDIR}/user1.key";
peers_public_key x509pem "${CERTDIR}/user2cert.pem" "";
};
};
policy ipsec-policy {
action auto_ipsec;
remote_index 59--60;
ipsec_mode transport;
ipsec_index { ipsec-i-r ; };
ipsec_level require;
peers_sa_ipaddr 10.76.91.60;
my_sa_ipaddr 10.76.91.59;
};
ipsec ipsec-i-r {
sa_index { security-association ; };
};
sa security-association {
sa_protocol esp;
esp_enc_alg { aes128_cbc; };
esp_auth_alg { hmac_md5; };
};
selector out {
direction outbound;
src 10.76.91.59;
dst 10.76.91.60;
upper_layer_protocol "any";
policy_index ipsec-policy;
};
selector in {
direction inbound;
src 10.76.91.60;
dst 10.76.91.59;
upper_layer_protocol "any";
policy_index ipsec-policy ;
};setval {
CERTDIR "/home/d/certs";
};
interface{
spmd { unix "/var/run/racoon2/spmif" ; };
spmd_password "/usr/local/racoon2/etc/racoon2/spmd.pwd" ;
ike {10.76.91.60 ; };
};
remote 59--60 {
acceptable_kmp { ikev2; };
ikev2 {
peers_ipaddr 10.76.91.59 ;
peers_id x509_subject "/home/d/certs/user1cert.pem" ;
my_id x509_subject "/home/d/certs/user2cert.pem" ;
kmp_enc_alg { aes192_cbc; };
kmp_prf_alg { hmac_md5; };
kmp_hash_alg { hmac_md5; };
kmp_dh_group { modp1024; };
kmp_auth_method { rsasig ; };
my_public_key x509pem "${CERTDIR}/user2cert.pem" "${CERTDIR}/user2.key";
peers_public_key x509pem "${CERTDIR}/user1cert.pem" "";
};
};
policy ipsec-policy {
action auto_ipsec;
remote_index 59--60;
ipsec_mode transport;
ipsec_index { ipsec-i-r; };
ipsec_level require;
peers_sa_ipaddr 10.76.91.59;
my_sa_ipaddr 10.76.91.60;
};
ipsec ipsec-i-r {
sa_index { security-association ; };
};
sa security-association {
sa_protocol esp;
esp_enc_alg { aes128_cbc; };
esp_auth_alg { hmac_md5; };
};
selector out {
direction outbound;
src 10.76.91.60;
dst 10.76.91.59;
upper_layer_protocol "any";
policy_index ipsec-policy;
};
selector in {
direction inbound;
src 10.76.91.59;
dst 10.76.91.60;
upper_layer_protocol "any";
policy_index ipsec-policy ;
};
//parth-9039200230
