[Openswan Users] Win98 l2tp INVALID_CERTIFICATE x509
Andreas Steffen
andreas.steffen at strongsec.net
Tue Jul 13 22:49:48 CEST 2004
Well, the public key of your self-signed gateway certificate has the
key ID AwEAAdR5c whereas your CA cert has the key ID AwEAAZyX3. Thus
I don't know with which key you signed your other certificates with.
Just generate a cert signed with your CA's key for Linux gateway but
the distinguished name should differ from the CA's name.
Regards
Andreas
Robert W. Burgholzer wrote:
> Andreas,
> I was un-aware of any differences. Here is what my situation is intended
> to be:
>
> Linux Gateway www2 is the CA, as well as the VPN gateway
>
> I created a CA certificate, then a gateway certificate for my gateway as
> per Nate Carlson's How-To, or at least, as per my interpretation. I
> believe that I entered identical values for all but the passphrase and
> the challenge password. I then stashed this gateway certificate in the
> /etc/ipsec.d/private/ folder. I signed this and other certificates for
> client with the demoCA/cacert.pem file, which I assumed to be my root
> certificate. I guess I have created some confusion in this? How could
> you determine that my public and CA have different names?
>
> I have created a mess, I guess, but how to solve, regenerate all (not a
> problem if I have to), or just re-generate my gateway cert?
>
> r.b.
>
>
>
> At 09:19 PM 7/13/2004 +0200, you wrote:
>
>> Why is the Linux gateway's certificate self-signed but has the
>> same distinguished name but a different public than your CA certificate?
>> Your Windows peer will not be able to put trust into this certificate.
>> With a correct setup all end certificate should be signed by the private
>> key of your CA.
>>
>> Regards
>>
>> Andreas
>>
>> Robert W. Burgholzer wrote:
>>
>>> Andreas,
>>> My pleasure. Here it is:
>>> [root at www2 root]# ipsec auto --listall
>>> 000
>>> 000 List of Public Keys:
>>> 000
>>> 000 Jul 13 14:52:13 2004, 2048 RSA Key AwEAAbtrv, until Apr 15
>>> 10:47:50 2005 ok
>>> 000 ID_DER_ASN1_DN 'C=US, ST=Virginia, L=Dayton, O=MapTech
>>> Incorporated, OU=Environmental, CN=rbodkin.maptech-inc.com,
>>> E=rbodkin at maptech-inc.com'
>>> 000 Issuer 'C=US, ST=Virginia, L=Blacksburg, O=MapTech
>>> Incorporated, OU=Network, CN=www2.maptech-inc.com,
>>> E=rburgholzer at maptech-inc.com'
>>> 000 Jul 13 14:49:42 2004, 2048 RSA Key AwEAAate8, until Apr 15
>>> 10:47:50 2005 ok
>>> 000 ID_DER_ASN1_DN 'C=US, ST=Virginia, L=Christiansburg,
>>> O=MapTech Incorporated, OU=fieldservices, CN=annex.maptech-inc.com,
>>> E=efitchett at maptech-inc.com'
>>> 000 Issuer 'C=US, ST=Virginia, L=Blacksburg, O=MapTech
>>> Incorporated, OU=Network, CN=www2.maptech-inc.com,
>>> E=rburgholzer at maptech-inc.com'
>>> 000 Jul 13 14:27:26 2004, 2048 RSA Key AwEAAca/6, until Apr 15
>>> 10:47:50 2005 ok
>>> 000 ID_DER_ASN1_DN 'C=US, ST=Virginia, L=Richmond, O=MapTech
>>> Incorporated, OU=Network, CN=soulswimmer.maptech-inc.com,
>>> E=rburgholzer at maptech-inc.com'
>>> 000 Issuer 'C=US, ST=Virginia, L=Blacksburg, O=MapTech
>>> Incorporated, OU=Network, CN=www2.maptech-inc.com,
>>> E=rburgholzer at maptech-inc.com'
>>> 000 Jul 13 14:27:23 2004, 2048 RSA Key AwEAAc4dT, until Apr 15
>>> 10:47:50 2005 ok
>>> 000 ID_DER_ASN1_DN 'C=US, ST=Virginia, L=Richmond, O=MapTech
>>> Incorporated, OU=Engineering, CN=robertwb.maptech-inc.com,
>>> E=rburgholzer at maptech-inc.com'
>>> 000 Issuer 'C=US, ST=Virginia, L=Blacksburg, O=MapTech
>>> Incorporated, OU=Network, CN=www2.maptech-inc.com,
>>> E=rburgholzer at maptech-inc.com'
>>> 000 Jul 13 14:27:21 2004, 2048 RSA Key AwEAAdR5c, until Apr 13
>>> 10:52:47 2014 ok
>>> 000 ID_DER_ASN1_DN 'C=US, ST=Virginia, L=Blacksburg, O=MapTech
>>> Incorporated, OU=Network, CN=www2.maptech-inc.com,
>>> E=rburgholzer at maptech-inc.com'
>>> 000 Issuer 'C=US, ST=Virginia, L=Blacksburg, O=MapTech
>>> Incorporated, OU=Network, CN=www2.maptech-inc.com,
>>> E=rburgholzer at maptech-inc.com'
>>> 000
>>> 000 List of X.509 End Certificates:
>>> 000
>>> 000 Jul 13 14:27:21 2004, count: 7
>>> 000 subject: 'C=US, ST=Virginia, L=Blacksburg, O=MapTech
>>> Incorporated, OU=Network, CN=www2.maptech-inc.com,
>>> E=rburgholzer at maptech-inc.com'
>>> 000 issuer: 'C=US, ST=Virginia, L=Blacksburg, O=MapTech
>>> Incorporated, OU=Network, CN=www2.maptech-inc.com,
>>> E=rburgholzer at maptech-inc.com'
>>> 000 serial: 01
>>> 000 pubkey: 2048 RSA Key AwEAAdR5c, has private key
>>> 000 validity: not before Apr 15 10:52:47 2004 ok
>>> 000 not after Apr 13 10:52:47 2014 ok
>>> 000 subjkey:
>>> ed:f9:71:ac:db:77:1b:a2:0c:f1:bb:95:f2:b9:79:fc:6c:9a:d4:53
>>> 000 authkey:
>>> c9:20:bb:43:c3:00:52:13:86:4f:ec:95:95:03:5f:88:e8:a4:44:de
>>> 000 aserial: 00
>>> 000
>>> 000 List of X.509 CA Certificates:
>>> 000
>>> 000 Jul 13 14:27:20 2004, count: 1
>>> 000 subject: 'C=US, ST=Virginia, L=Blacksburg, O=MapTech
>>> Incorporated, OU=Network, CN=www2.maptech-inc.com,
>>> E=rburgholzer at maptech-inc.com'
>>> 000 issuer: 'C=US, ST=Virginia, L=Blacksburg, O=MapTech
>>> Incorporated, OU=Network, CN=www2.maptech-inc.com,
>>> E=rburgholzer at maptech-inc.com'
>>> 000 serial: 00
>>> 000 pubkey: 2048 RSA Key AwEAAZyX3
>>> 000 validity: not before Apr 15 10:47:50 2004 ok
>>> 000 not after Apr 15 10:47:50 2005 ok
>>> 000 subjkey:
>>> c9:20:bb:43:c3:00:52:13:86:4f:ec:95:95:03:5f:88:e8:a4:44:de
>>> 000 authkey:
>>> c9:20:bb:43:c3:00:52:13:86:4f:ec:95:95:03:5f:88:e8:a4:44:de
>>> 000 aserial: 00
>>> 000
>>> 000 List of X.509 CRLs:
>>> 000
>>> 000 Jul 13 14:27:20 2004, revoked certs: 0
>>> 000 issuer: 'C=US, ST=Virginia, L=Blacksburg, O=MapTech
>>> Incorporated, OU=Network, CN=www2.maptech-inc.com,
>>> E=rburgholzer at maptech-inc.com'
>>> 000 distPts: 'file:///etc/ipsec.d/crls/crl.pem'
>>> 000 updates: this Jul 13 09:40:07 2004
>>> 000 next Aug 12 09:40:07 2004 ok
=======================================================================
Andreas Steffen e-mail: andreas.steffen at strongsec.com
strongSec GmbH home: http://www.strongsec.com
Alter Zürichweg 20 phone: +41 1 730 80 64
CH-8952 Schlieren (Switzerland) fax: +41 1 730 80 65
==========================================[strong internet security]===
More information about the Users
mailing list