[Openswan Users] X.509 certificate rejected
goog long
cecolong at yahoo.com
Tue Mar 16 09:44:24 EDT 2010
Here is a series of commands I used to generate the certificate. After each command, I list all existing files or directory. What missing files are you refering to?
# /usr/lib/ssl/misc/CA.sh -newca
drwxr-xr-x 6 root root 4096 2010-03-16 09:33 demoCA
# openssl ca -gencrl -out crl.pem
-rw-r--r-- 1 root root 487 2010-03-16 09:35 crl.pem
drwxr-xr-x 6 root root 4096 2010-03-16 09:33 demoCA
# /usr/lib/ssl/misc/CA.sh -newreq
-rw-r--r-- 1 root root 487 2010-03-16 09:35 crl.pem
drwxr-xr-x 6 root root 4096 2010-03-16 09:33 demoCA
-rw-r--r-- 1 root root 963 2010-03-16 09:38 newkey.pem
-rw-r--r-- 1 root root 737 2010-03-16 09:38 newreq.pem
# /usr/lib/ssl/misc/CA.sh -sign
-rw-r--r-- 1 root root 487 2010-03-16 09:35 crl.pem
drwxr-xr-x 6 root root 4096 2010-03-16 09:39 demoCA
-rw-r--r-- 1 root root 3244 2010-03-16 09:39 newcert.pem
-rw-r--r-- 1 root root 963 2010-03-16 09:38 newkey.pem
-rw-r--r-- 1 root root 737 2010-03-16 09:38 newreq.pem
# find demoCA -name \*.pem
demoCA/private/cakey.pem
demoCA/careq.pem
demoCA/cacert.pem
demoCA/newcerts/00.pem
demoCA/newcerts/01.pem
--- On Mon, 3/15/10, Paul Wouters <paul at xelerance.com> wrote:
From: Paul Wouters <paul at xelerance.com>
Subject: Re: [Openswan Users] X.509 certificate rejected
To: "goog long" <cecolong at yahoo.com>
Cc: users at openswan.org
Date: Monday, March 15, 2010, 10:26 PM
On Mon, 15 Mar 2010, goog long wrote:
> Mar 15 15:19:19 host-lx pluto[12210]: "roadwarrior-net"[4] 192.168.50.2 #4: issuer cacert not found
> Mar 15 15:19:19 host-lx pluto[12210]: "roadwarrior-net"[4] 192.168.50.2 #4: X.509 certificate rejected
Looks like the server has no CA installed that signed the host certificate of the road warrior.
(nor an intermediate CA)
> conn roadwarrior-net
> leftsubnet=192.168.50.0/255.255.255.0
> also=roadwarrior
>
> conn roadwarrior
> # left=%defaultroute
> left=192.168.50.2
> leftcert=clienthost.example.com.pem
> right=192.168.50.1
> rightsubnet=host.example.com.pem
That last line is wrong. subnet should not be a cert.
Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100316/66b2f82d/attachment-0001.html
More information about the Users
mailing list