[Openswan Users] Missing Locality in x509 certificate subject

Bart Smink bartsmink at gmail.com
Wed Jul 28 06:54:04 EDT 2010 

I am trying to make x509 certificates for my Openswan connection. When I use
my certificates I get an 'no suitable connection for peer' error. This is
because the CA does have a locality set in his certificate, but the user
does not have locality in its subject.

I have used the commands from the book Building and Integrating Virtual
Private Network With Openswan. In this example the location 'San Francisco'
is in the caCert.pem, but not in westCert.pem. I think this diffrence in the
number of RDNs causes my 'no suitable connection for peer' problem.

I ran the following commands on a fresh Ubuntu 10.04 OS because I think that
will be the most easy way to create certificates:

Editted /etc/ssl/openssl.cnf
[ CA_default ]

dir             = /home/user/certificates               # Where everything
is kept

root at ultimate-laptop:/home/user/certificates# mkdir newcerts
root at ultimate-laptop:/home/user/certificates# touch index.txt
root at ultimate-laptop:/home/user/certificates# echo "01" > serial
root at ultimate-laptop:/home/user/certificates# openssl req -x509 -days 3650
-newkey rsa:1024 -keyout caKey.pem -out caCert.pem
Generating a 1024 bit RSA private key
..................................++++++
..............++++++
writing new private key to 'caKey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:San Francisco
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Smink
Organizational Unit Name (eg, section) []:Private
Common Name (eg, YOUR name) []:Bart Smink Root CA
Email Address []:bartsmink at gmail.com
root at ultimate-laptop:/home/user/certificates# openssl req -newkey rsa:2048
-keyout west.key -out westReq.pem
Generating a 2048 bit RSA private key
......................................................................+++
......................+++
writing new private key to 'west.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:San Francisco
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Smink
Organizational Unit Name (eg, section) []:Private
Common Name (eg, YOUR name) []:Bart Smink Ultimate-Laptop
Email Address []:bartsmink at gmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:asdf
An optional company name []:Smink
root at ultimate-laptop:/home/user/certificates# openssl ca -in westReq.pem
-days 365 -out westCert.pem -notext -cert caCert.pem -keyfile caKey.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for caKey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jul 28 10:46:18 2010 GMT
            Not After : Jul 28 10:46:18 2011 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = California
            organizationName          = Smink
            organizationalUnitName    = Private
            commonName                = Bart Smink Ultimate-Laptop
            emailAddress              = bartsmink at gmail.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                E5:8C:D3:DB:B3:1E:98:6F:3D:B3:2F:14:64:CF:96:3C:EA:6A:15:7A
            X509v3 Authority Key Identifier:

keyid:A6:5A:2A:7E:A0:DE:27:BB:9C:AE:52:8B:1F:AB:E9:90:27:C2:B1:35

Certificate is to be certified until Jul 28 10:46:18 2011 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
root at ultimate-laptop:/home/user/certificates# ls
caCert.pem  index.txt.attr  serial        west.key
caKey.pem   index.txt.old   serial.old    westReq.pem
index.txt   newcerts        westCert.pem
root at ultimate-laptop:/home/user/certificates# openssl x509 -in caCert.pem
-subject -noout
subject= /C=US/ST=California/L=San Francisco/O=Smink/OU=Private/CN=Bart
Smink Root CA/emailAddress=bartsmink at gmail.com
root at ultimate-laptop:/home/user/certificates# openssl x509 -in westCert.pem
-subject -noout
subject= /C=US/ST=California/O=Smink/OU=Private/CN=Bart Smink
Ultimate-Laptop/emailAddress=bartsmink at gmail.com
root at ultimate-laptop:/home/user/certificates# openssl version
OpenSSL 0.9.8k 25 Mar 2009
root at ultimate-laptop:/home/user/certificates#

Thanks,

Bart Smink
The Netherlands
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100728/025228a5/attachment.html

More information about the Users mailing list