[Openswan Users] Generating X 509 certificate problem on Debian Sarge OpenSwan 2.1.3-1

Joost Kraaijeveld J.Kraaijeveld at Askesis.nl
Mon Oct 11 19:45:12 CEST 2004 

Hi all,

I want to generate a x 509 certificate on a Debian Sarge machine for connecting Windows 2000 Roadwarriors.  I followed the recipe as described below to the letter (I copy and pasted all text, did not type anything) after installing OpenSwan ~2 weeks ago. In step 2 of creating the client certificate (/usr/bin/openssl ca -in client01Req.pem -days 730 -out client01Cert.pem -passin pass:foobar -notext -cert caCert.pem -keyfile caKey.pem.locked )I get the follwing error:

..
failed to update database
TXT_DB error number 2

Anyone any idea what to do?

Groeten,

Joost Kraaijeveld
Askesis B.V.
Molukkenstraat 14
6524NB Nijmegen
tel: 024-3888063 / 06-51855277
fax: 024-3608416
e-mail: J.Kraaijeveld at Askesis.nl
web: www.askesis.nl 

Recipe:

cd /etc/ipsec.d/
mkdir ca
cd ca
(edit /usr/share/openssl.cnf and change directory ./DemoCA in /etc/ipsec.d/ca/)

/usr/bin/openssl req -x509 -days 1460 -newkey rsa:1024 -keyout caKey.pem.locked -out caCert.pem -passin pass:foobar -passout pass:foobar
/usr/bin/openssl rsa -passin pass:foobar -passout pass:foobar -in caKey.pem.locked -out caKey.pem

touch index.txt 
echo "01" > serial
mkdir newcerts

First the gateway certificates:

/usr/bin/openssl req -newkey rsa:1024 -keyout gatewayKey.pem.locked -out gatewayReq.pem -passin pass:foobar -passout pass:foobar
/usr/bin/openssl ca -in gatewayReq.pem -days 730 -out gatewayCert.pem -passin pass:foobar -notext -cert caCert.pem -keyfile caKey.pem.locked

cp gatewayCert.pem /etc/ipsec.d/certs/
/usr/bin/openssl rsa -passin pass:foobar -passout pass:foobar -in gatewayKey.pem.locked -out gatewayKey.pem
cp gatewayKey.pem* /etc/ipsec.d/private/
cp caCert.pem /etc/ipsec.d/cacerts/

edit /etc/ipsec.secrets and add:

: RSA /etc/ipsec.d/private/gatewayKey.pem.locked "foobar"

add to ipsec.conf:

conn roadwarrior
        right=%any
        rightca=%same
        rightrsasigkey=%cert
        rightsubnet=vhost:%no,%priv
        leftrsasigkey=%cert
        left=82.161.125.16
        #otherwise remote clients wont work
        leftnexthop=82.161.124.1
        leftcert=/etc/ipsec.d/certs/gatewayCert.pem
        auto=add
        authby=rsasig
        pfs=yes
        rekey=yes
                                                                                
                                                                                
conn roadwarrior-net
        right=%any
        rightca=%same
        rightrsasigkey=%cert
        rightsubnet=vhost:%no,%priv
        leftrsasigkey=%cert
        left=82.161.125.16
        #otherwise remote clients wont work
        leftnexthop=82.161.124.1
        leftsubnet=172.31.0.0/16
        leftcert=/etc/ipsec.d/certs/gatewayCert.pem
        auto=add
        authby=rsasig
        pfs=yes
        rekey=yes
  
service ipsec restart

per client:

cd /etc/ipsec.d/ca
/usr/bin/openssl req -newkey rsa:1024 -keyout client01Key.pem.locked -out client01Req.pem -passin pass:foobar -passout pass:foobar
/usr/bin/openssl ca -in client01Req.pem -days 730 -out client01Cert.pem -passin pass:foobar -notext -cert caCert.pem -keyfile caKey.pem.locked
/usr/bin/openssl pkcs12 -export -inkey client01Key.pem.locked -in client01Cert.pem -name askesis -certfile caCert.pem -caname "Askesis CA" -out client01Cert.p12  -passin pass:foobar -passout pass:foobar

More information about the Users mailing list