[Openswan Users] Win98 l2tp INVALID_CERTIFICATE x509

Andreas Steffen andreas.steffen at strongsec.net
Tue Jul 13 22:49:48 CEST 2004


Well, the public key of your self-signed gateway certificate has the
key ID AwEAAdR5c whereas your CA cert has the key ID AwEAAZyX3. Thus
I don't know with which key you signed your other certificates with.
Just generate a cert signed with your CA's key for Linux gateway but
the distinguished name should differ from the CA's name.

Regards

Andreas

Robert W. Burgholzer wrote:

> Andreas,
> I was un-aware of any differences. Here is what my situation is intended 
> to be:
> 
> Linux Gateway www2 is the CA, as well as the VPN gateway
> 
> I created a CA certificate, then a gateway certificate for my gateway as 
> per Nate Carlson's How-To, or at least, as per my interpretation. I 
> believe that I entered identical values for all but the passphrase and 
> the challenge password.  I then stashed this gateway certificate in the 
> /etc/ipsec.d/private/ folder. I signed this and other certificates for 
> client with the demoCA/cacert.pem file, which I assumed to be my root 
> certificate. I guess I have created some confusion in this? How could 
> you determine that my public and CA have different names?
> 
> I have created a mess, I guess, but how to solve, regenerate all (not a 
> problem if I have to), or just re-generate my gateway cert?
> 
> r.b.
> 
> 
> 
> At 09:19 PM 7/13/2004 +0200, you wrote:
> 
>> Why is the Linux gateway's certificate self-signed but has the
>> same distinguished name but a different public than your CA certificate?
>> Your Windows peer will not be able to put trust into this certificate.
>> With a correct setup all end certificate should be signed by the private
>> key of your CA.
>>
>> Regards
>>
>> Andreas
>>
>> Robert W. Burgholzer wrote:
>>
>>> Andreas,
>>> My pleasure. Here it is:
>>> [root at www2 root]# ipsec auto --listall
>>> 000
>>> 000 List of Public Keys:
>>> 000
>>> 000 Jul 13 14:52:13 2004, 2048 RSA Key AwEAAbtrv, until Apr 15 
>>> 10:47:50 2005 ok
>>> 000        ID_DER_ASN1_DN 'C=US, ST=Virginia, L=Dayton, O=MapTech 
>>> Incorporated, OU=Environmental, CN=rbodkin.maptech-inc.com, 
>>> E=rbodkin at maptech-inc.com'
>>> 000        Issuer 'C=US, ST=Virginia, L=Blacksburg, O=MapTech 
>>> Incorporated, OU=Network, CN=www2.maptech-inc.com, 
>>> E=rburgholzer at maptech-inc.com'
>>> 000 Jul 13 14:49:42 2004, 2048 RSA Key AwEAAate8, until Apr 15 
>>> 10:47:50 2005 ok
>>> 000        ID_DER_ASN1_DN 'C=US, ST=Virginia, L=Christiansburg, 
>>> O=MapTech Incorporated, OU=fieldservices, CN=annex.maptech-inc.com, 
>>> E=efitchett at maptech-inc.com'
>>> 000        Issuer 'C=US, ST=Virginia, L=Blacksburg, O=MapTech 
>>> Incorporated, OU=Network, CN=www2.maptech-inc.com, 
>>> E=rburgholzer at maptech-inc.com'
>>> 000 Jul 13 14:27:26 2004, 2048 RSA Key AwEAAca/6, until Apr 15 
>>> 10:47:50 2005 ok
>>> 000        ID_DER_ASN1_DN 'C=US, ST=Virginia, L=Richmond, O=MapTech 
>>> Incorporated, OU=Network, CN=soulswimmer.maptech-inc.com, 
>>> E=rburgholzer at maptech-inc.com'
>>> 000        Issuer 'C=US, ST=Virginia, L=Blacksburg, O=MapTech 
>>> Incorporated, OU=Network, CN=www2.maptech-inc.com, 
>>> E=rburgholzer at maptech-inc.com'
>>> 000 Jul 13 14:27:23 2004, 2048 RSA Key AwEAAc4dT, until Apr 15 
>>> 10:47:50 2005 ok
>>> 000        ID_DER_ASN1_DN 'C=US, ST=Virginia, L=Richmond, O=MapTech 
>>> Incorporated, OU=Engineering, CN=robertwb.maptech-inc.com, 
>>> E=rburgholzer at maptech-inc.com'
>>> 000        Issuer 'C=US, ST=Virginia, L=Blacksburg, O=MapTech 
>>> Incorporated, OU=Network, CN=www2.maptech-inc.com, 
>>> E=rburgholzer at maptech-inc.com'
>>> 000 Jul 13 14:27:21 2004, 2048 RSA Key AwEAAdR5c, until Apr 13 
>>> 10:52:47 2014 ok
>>> 000        ID_DER_ASN1_DN 'C=US, ST=Virginia, L=Blacksburg, O=MapTech 
>>> Incorporated, OU=Network, CN=www2.maptech-inc.com, 
>>> E=rburgholzer at maptech-inc.com'
>>> 000        Issuer 'C=US, ST=Virginia, L=Blacksburg, O=MapTech 
>>> Incorporated, OU=Network, CN=www2.maptech-inc.com, 
>>> E=rburgholzer at maptech-inc.com'
>>> 000
>>> 000 List of X.509 End Certificates:
>>> 000
>>> 000 Jul 13 14:27:21 2004, count: 7
>>> 000        subject: 'C=US, ST=Virginia, L=Blacksburg, O=MapTech 
>>> Incorporated, OU=Network, CN=www2.maptech-inc.com, 
>>> E=rburgholzer at maptech-inc.com'
>>> 000        issuer:  'C=US, ST=Virginia, L=Blacksburg, O=MapTech 
>>> Incorporated, OU=Network, CN=www2.maptech-inc.com, 
>>> E=rburgholzer at maptech-inc.com'
>>> 000        serial:   01
>>> 000        pubkey:   2048 RSA Key AwEAAdR5c, has private key
>>> 000        validity: not before Apr 15 10:52:47 2004 ok
>>> 000                  not after  Apr 13 10:52:47 2014 ok
>>> 000        subjkey: 
>>> ed:f9:71:ac:db:77:1b:a2:0c:f1:bb:95:f2:b9:79:fc:6c:9a:d4:53
>>> 000        authkey: 
>>> c9:20:bb:43:c3:00:52:13:86:4f:ec:95:95:03:5f:88:e8:a4:44:de
>>> 000        aserial:  00
>>> 000
>>> 000 List of X.509 CA Certificates:
>>> 000
>>> 000 Jul 13 14:27:20 2004, count: 1
>>> 000        subject: 'C=US, ST=Virginia, L=Blacksburg, O=MapTech 
>>> Incorporated, OU=Network, CN=www2.maptech-inc.com, 
>>> E=rburgholzer at maptech-inc.com'
>>> 000        issuer:  'C=US, ST=Virginia, L=Blacksburg, O=MapTech 
>>> Incorporated, OU=Network, CN=www2.maptech-inc.com, 
>>> E=rburgholzer at maptech-inc.com'
>>> 000        serial:   00
>>> 000        pubkey:   2048 RSA Key AwEAAZyX3
>>> 000        validity: not before Apr 15 10:47:50 2004 ok
>>> 000                  not after  Apr 15 10:47:50 2005 ok
>>> 000        subjkey: 
>>> c9:20:bb:43:c3:00:52:13:86:4f:ec:95:95:03:5f:88:e8:a4:44:de
>>> 000        authkey: 
>>> c9:20:bb:43:c3:00:52:13:86:4f:ec:95:95:03:5f:88:e8:a4:44:de
>>> 000        aserial:  00
>>> 000
>>> 000 List of X.509 CRLs:
>>> 000
>>> 000 Jul 13 14:27:20 2004, revoked certs: 0
>>> 000        issuer:  'C=US, ST=Virginia, L=Blacksburg, O=MapTech 
>>> Incorporated, OU=Network, CN=www2.maptech-inc.com, 
>>> E=rburgholzer at maptech-inc.com'
>>> 000        distPts: 'file:///etc/ipsec.d/crls/crl.pem'
>>> 000        updates:  this Jul 13 09:40:07 2004
>>> 000                  next Aug 12 09:40:07 2004 ok

=======================================================================
Andreas Steffen                   e-mail: andreas.steffen at strongsec.com
strongSec GmbH                    home:   http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===


More information about the Users mailing list