[Openswan Users] oakley.log for letoto
James
james at nttmcl.com
Mon Jun 4 17:21:54 EDT 2007
James wrote:
> James wrote:
>
>> Jacco de Leeuw wrote:
>>
>>
>>>> oh also on the windows side the built in xp client says
>>>> "no valid machine certificate on your computer for security
>>>> authentication"
>>>> i used certimport.exe to import the .p12 file
>>>> my exact steps are as follows
>>>>
>>>>
>>> http://www.jacco2.dds.nl/networking/win2000xp-openswan.html#Error781
>>>
>>> Looks like your PKCS#12 file does not contain a private key.
>>>
>>> Jacco
>>>
>>>
>> I'm pretty sure my p12 file has a key file in it, but i dunno if windows
>> is reading it or something maybe.
>> I had the experience with the linux clients that if the key information
>> wasn't on top in the key file then it wouldn't read the private key.
>> so if in the key file it had the cert first then key then the
>> ipsec.secrets would fail. but if i had the key info first then cert
>> after it would be successful.
>>
>> but as for the p12 file i can do a
>> shell> openssl pkcs12 -in client.p12 -out client.pem
>> i see the following
>> machine certfiicate
>> ca certificate
>> private key
>>
>> so anything else i should check?
>> _______________________________________________
>>
>>
> oh also when i look at the certificate under the mmc in personal>
> certificate > properties
> it notes "you have a private key that corresponds to this certificate"
> BUT
> it also says "this certificate is not valid because one of the
> certification authorities in the certification path does not appear to
> be allowed to use certificates or this certificate cannot be used as an
> end-entity certificate"
>
> is that normal?
> i used a self signed CA on my vpnserver
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
Ok so i finally found the answer to my problem on some openssl forums.
Apparently when creating the CA with openssl's default CA.sh the default
openssl.cnf file needs some editing:
You need to edit openssl.cnf lines that look like the following:
from:
Basic Constraints: CA:false
keyUsage = cRLSign, keyCertSign
to:
Basic Constraints: CA:TRUE
keyUsage = cRLSign, keyCertSign, digitalSignature, keyEncipherment
hope this helps out some people
cause otherwise windows won't recognize your CA certificate as an
authorized signer
More information about the Users
mailing list