[Openswan Users] oakley.log for letoto

James james at nttmcl.com
Mon Jun 4 17:21:54 EDT 2007 

James wrote:
> James wrote:
>   
>> Jacco de Leeuw wrote:
>>   
>>     
>>>> oh also on the windows side the built in xp client says
>>>> "no valid machine certificate on your computer for security 
>>>> authentication"
>>>> i used certimport.exe to import the .p12 file
>>>> my exact steps are as follows
>>>>       
>>>>         
>>> http://www.jacco2.dds.nl/networking/win2000xp-openswan.html#Error781
>>>
>>> Looks like your PKCS#12 file does not contain a private key.
>>>
>>> Jacco
>>>     
>>>       
>> I'm pretty sure my p12 file has a key file in it, but i dunno if windows 
>> is reading it or something maybe.
>> I had the experience with the linux clients that if the key information 
>> wasn't on top in the key file then it wouldn't read the private key.
>> so if in the key file it had the cert first then key then the 
>> ipsec.secrets would fail. but if i had the key info first then cert 
>> after it would be successful.
>>
>> but as for the p12 file i can do a
>> shell> openssl pkcs12 -in client.p12 -out client.pem
>> i see the following
>> machine certfiicate
>> ca certificate
>> private key
>>
>> so anything else i should check?
>> _______________________________________________
>>   
>>     
> oh also when i look at the certificate under the mmc in personal> 
> certificate > properties
> it notes "you have a private key that corresponds to this certificate"
> BUT
> it also says "this certificate is not valid because one of the 
> certification authorities in the certification path does not appear to 
> be allowed to use certificates or this certificate cannot be used as an 
> end-entity certificate"
>
> is that normal?
> i used a self signed CA on my vpnserver
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>   
Ok so i finally found the answer to my problem on some openssl forums.
Apparently when creating the CA with openssl's default CA.sh the default 
openssl.cnf file needs some editing:

You need to edit openssl.cnf lines that look like the following:

from:
Basic Constraints: CA:false
keyUsage = cRLSign, keyCertSign

to:
Basic Constraints: CA:TRUE
keyUsage = cRLSign, keyCertSign, digitalSignature, keyEncipherment

hope this helps out some people
cause otherwise windows won't recognize your CA certificate as an 
authorized signer

More information about the Users mailing list