I am trying to make x509 certificates for my Openswan connection. When I use my certificates I get an 'no suitable connection for peer' error. This is because the CA does have a locality set in his certificate, but the user does not have locality in its subject.<br>
<br>I have used the commands from the book Building and Integrating Virtual Private Network With Openswan. In this example the location 'San Francisco' is in the caCert.pem, but not in westCert.pem. I think this diffrence in the number of RDNs causes my 'no suitable connection for peer' problem.<br>
<br>I ran the following commands on a fresh Ubuntu 10.04 OS because I think that will be the most easy way to create certificates:<br><br>Editted /etc/ssl/openssl.cnf<br>[ CA_default ]<br><br>dir = /home/user/certificates # Where everything is kept<br>
<br>root@ultimate-laptop:/home/user/certificates# mkdir newcerts<br>root@ultimate-laptop:/home/user/certificates# touch index.txt<br>root@ultimate-laptop:/home/user/certificates# echo "01" > serial<br>root@ultimate-laptop:/home/user/certificates# openssl req -x509 -days 3650 -newkey rsa:1024 -keyout caKey.pem -out caCert.pem<br>
Generating a 1024 bit RSA private key<br>..................................++++++<br>..............++++++<br>writing new private key to 'caKey.pem'<br>Enter PEM pass phrase:<br>Verifying - Enter PEM pass phrase:<br>
-----<br>You are about to be asked to enter information that will be incorporated<br>into your certificate request.<br>What you are about to enter is what is called a Distinguished Name or a DN.<br>There are quite a few fields but you can leave some blank<br>
For some fields there will be a default value,<br>If you enter '.', the field will be left blank.<br>-----<br>Country Name (2 letter code) [AU]:US<br>State or Province Name (full name) [Some-State]:California<br>Locality Name (eg, city) []:San Francisco<br>
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Smink<br>Organizational Unit Name (eg, section) []:Private<br>Common Name (eg, YOUR name) []:Bart Smink Root CA<br>Email Address []:<a href="mailto:bartsmink@gmail.com">bartsmink@gmail.com</a><br>
root@ultimate-laptop:/home/user/certificates# openssl req -newkey rsa:2048 -keyout west.key -out westReq.pem<br>Generating a 2048 bit RSA private key<br>......................................................................+++<br>
......................+++<br>writing new private key to 'west.key'<br>Enter PEM pass phrase:<br>Verifying - Enter PEM pass phrase:<br>-----<br>You are about to be asked to enter information that will be incorporated<br>
into your certificate request.<br>What you are about to enter is what is called a Distinguished Name or a DN.<br>There are quite a few fields but you can leave some blank<br>For some fields there will be a default value,<br>
If you enter '.', the field will be left blank.<br>-----<br>Country Name (2 letter code) [AU]:US<br>State or Province Name (full name) [Some-State]:California<br>Locality Name (eg, city) []:San Francisco<br>Organization Name (eg, company) [Internet Widgits Pty Ltd]:Smink<br>
Organizational Unit Name (eg, section) []:Private<br>Common Name (eg, YOUR name) []:Bart Smink Ultimate-Laptop<br>Email Address []:<a href="mailto:bartsmink@gmail.com">bartsmink@gmail.com</a><br><br>Please enter the following 'extra' attributes<br>
to be sent with your certificate request<br>A challenge password []:asdf<br>An optional company name []:Smink<br>root@ultimate-laptop:/home/user/certificates# openssl ca -in westReq.pem -days 365 -out westCert.pem -notext -cert caCert.pem -keyfile caKey.pem<br>
Using configuration from /usr/lib/ssl/openssl.cnf<br>Enter pass phrase for caKey.pem:<br>Check that the request matches the signature<br>Signature ok<br>Certificate Details:<br> Serial Number: 1 (0x1)<br> Validity<br>
Not Before: Jul 28 10:46:18 2010 GMT<br> Not After : Jul 28 10:46:18 2011 GMT<br> Subject:<br> countryName = US<br> stateOrProvinceName = California<br>
organizationName = Smink<br> organizationalUnitName = Private<br> commonName = Bart Smink Ultimate-Laptop<br> emailAddress = <a href="mailto:bartsmink@gmail.com">bartsmink@gmail.com</a><br>
X509v3 extensions:<br> X509v3 Basic Constraints: <br> CA:FALSE<br> Netscape Comment: <br> OpenSSL Generated Certificate<br> X509v3 Subject Key Identifier: <br>
E5:8C:D3:DB:B3:1E:98:6F:3D:B3:2F:14:64:CF:96:3C:EA:6A:15:7A<br> X509v3 Authority Key Identifier: <br> keyid:A6:5A:2A:7E:A0:DE:27:BB:9C:AE:52:8B:1F:AB:E9:90:27:C2:B1:35<br><br>Certificate is to be certified until Jul 28 10:46:18 2011 GMT (365 days)<br>
Sign the certificate? [y/n]:y<br><br><br>1 out of 1 certificate requests certified, commit? [y/n]y<br>Write out database with 1 new entries<br>Data Base Updated<br>root@ultimate-laptop:/home/user/certificates# ls<br>caCert.pem index.txt.attr serial west.key<br>
caKey.pem index.txt.old serial.old westReq.pem<br>index.txt newcerts westCert.pem<br>root@ultimate-laptop:/home/user/certificates# openssl x509 -in caCert.pem -subject -noout<br>subject= /C=US/ST=California/L=San Francisco/O=Smink/OU=Private/CN=Bart Smink Root CA/emailAddress=<a href="mailto:bartsmink@gmail.com">bartsmink@gmail.com</a><br>
root@ultimate-laptop:/home/user/certificates# openssl x509 -in westCert.pem -subject -noout<br>subject= /C=US/ST=California/O=Smink/OU=Private/CN=Bart Smink Ultimate-Laptop/emailAddress=<a href="mailto:bartsmink@gmail.com">bartsmink@gmail.com</a><br>
root@ultimate-laptop:/home/user/certificates# openssl version<br>OpenSSL 0.9.8k 25 Mar 2009<br>root@ultimate-laptop:/home/user/certificates# <br><br>Thanks,<br><br>Bart Smink<br>The Netherlands<br>