[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: isakmpd and reading x509 certs

To: misc@openbsd.org
Subject: Re: isakmpd and reading x509 certs
From: Todd Boyer <TBoyer@smcteam.com>
Date: Tue, 2 Sep 2003 09:36:34 -0400
Permission issue?  Check user/group permissions (+sudo rights) on all
relevant config and policy files.  I have no issue operating the CA and
isakmpd on the same 3.3 box.  isakmpd -d -DA=99 output would be helpful too
-Todd

-----Original Message-----
From: Gordon Chalmers [mailto:gordonc@kestral.com.au]
Sent: Sunday, August 31, 2003 11:36 PM
To: misc@openbsd.org
Subject: isakmpd and reading x509 certs


Hi all,
I swear I have googled for this first....


I am getting the error:
x509_read_from_dir: reading certs from /etc/isakmpd/ca
x509_read_from_dir: reading certificate ca.crt
x509_read_from_dir: PEM_read_bio_X509 failed for ca.crt

when my isakmpd daemon starts and reads the ca cert
as well as the server certs in isakmpd/certs

One of the older google responses says that having the CA and the isakmpd 
server
on the same machine and with the same common name can be a problem?
Is this still a problem?
Code is 3.3 release

Research into this says to check the certs are in PEM format as follows:
openssl x509 -in /etc/isakmpd/ca/ca.crt -noout -text

which gives

Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 0 (0x0)
         Signature Algorithm: md5WithRSAEncryption
         Issuer: C=AU, ST=Victoria, L=Melbourne, O=Kestral, OU=Test, 
CN=bsdtest.kestral.com.au/emailAddress=gordonc@kestral.com.au
         Validity
             Not Before: Sep  1 02:18:23 2003 GMT
             Not After : Aug 31 02:18:23 2004 GMT
         Subject: C=AU, ST=Victoria, L=Melbourne, O=Kestral, OU=Test, 
CN=bsdtest.kestral.com.au/emailAddress=gordonc@kestral.com.au
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
             RSA Public Key: (1024 bit)
                 Modulus (1024 bit):
                     00:db:d8:33:1e:63:6c:95:97:61:c4:de:6a:18:0b:
                     3c:30:95:41:f0:a2:76:68:7a:61:25:86:ee:8f:a3:
                     e9:cc:a9:f0:bc:91:2d:5d:96:23:0c:0e:88:6e:18:
                     db:78:c4:d0:c4:29:f4:61:e6:d5:86:16:6e:e1:27:
                     6e:16:57:7a:77:3f:1f:19:80:8c:43:a8:01:7b:3c:
                     7d:5b:d5:a1:2f:cd:3e:1c:0c:50:cc:58:ba:8b:12:
                     20:50:6d:c8:61:25:77:0e:5f:1a:25:ba:5d:0d:99:
                     0d:b6:2e:48:c5:08:d9:f4:6a:8b:f9:93:8a:1d:c3:
                     69:86:10:c3:af:21:e8:ef:77
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
             CA:TRUE, pathlen:1
             X509v3 Key Usage:
             Digital Signature, Certificate Sign
     Signature Algorithm: md5WithRSAEncryption
         15:c8:05:25:0d:d2:dc:1c:b1:c7:e0:e6:69:55:07:de:f6:31:
         22:e7:2d:55:23:41:28:e6:e3:eb:76:bd:27:09:a2:8d:ea:76:
         4d:ea:8c:b5:b3:9c:7d:d1:b5:29:ec:09:55:07:f9:ed:45:59:
         37:9e:6d:16:1e:90:c5:4b:ab:bf:33:0a:f0:8e:ee:13:7b:01:
         d6:d0:cc:3b:0f:9c:ee:98:43:ab:b4:19:41:54:55:cf:a3:d0:
         23:d4:a0:df:44:da:0b:e0:d9:89:b2:d7:05:94:4c:d3:47:ec:
         16:00:f2:33:6a:71:38:99:15:c1:4d:61:5f:f5:ef:06:86:f3:
         e9:8b


If anyone could point out the flipping obvious to me
I would be most grateful..

as a side note, the server certs have been created
and have the FQDN's properly in the AltSubjectname
Here is an example

# sudo openssl x509 -in /etc/isakmpd/certs/bsdtest.kestral.com.au.crt 
-noout -text
Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 2 (0x2)
         Signature Algorithm: md5WithRSAEncryption
         Issuer: C=AU, ST=Victoria, L=Melbourne, O=Kestral, OU=Test, 
CN=bsdtest.kestral.com.au/emailAddress=gordonc@kestral.com.au
         Validity
             Not Before: Sep  1 02:20:57 2003 GMT
             Not After : Aug 31 02:20:57 2004 GMT
         Subject: C=AU, ST=Victoria, L=Melbourne, O=Kestral, OU=Test, 
CN=bsdtest.kestral.com.au/emailAddress=gordonc@kestral.com.au
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
             RSA Public Key: (1024 bit)
                 Modulus (1024 bit):
                     00:b7:f4:4c:ac:32:42:af:54:4a:9e:7a:4d:9a:1c:
                     42:62:85:9f:20:ef:09:de:64:e3:83:2c:9c:f3:a8:
                     06:36:d9:8e:9a:5f:b4:9d:f3:a1:87:8a:f7:60:0a:
                     bc:be:19:27:9e:82:bd:0a:0f:f9:b5:cf:7f:04:a9:
                     1a:69:f1:ec:74:f4:fc:5a:1c:da:75:b4:aa:cf:0b:
                     55:45:e9:00:24:22:d3:85:f1:fb:c6:fd:a2:66:92:
                     9d:d0:bb:03:49:f6:65:8e:4d:38:33:15:f2:4c:12:
                     6d:fe:21:d8:f7:39:ae:0a:a3:76:76:24:f7:7a:04:
                     13:7a:0c:fa:cd:aa:37:c5:81
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Subject Alternative Name:
             DNS:bsdtest.kestral.com.au
     Signature Algorithm: md5WithRSAEncryption
         77:99:f2:c0:1a:60:7e:36:95:12:61:cb:8e:1e:1c:45:45:df:
         17:d9:28:69:66:a4:e2:ed:59:a1:62:4a:cd:b1:a8:59:76:f6:
         de:3f:0f:86:e8:00:00:0f:e6:f9:5e:81:68:76:77:53:0f:e3:
         d0:78:7d:9a:66:08:ef:d1:6e:fd:94:d3:6a:c0:72:90:bf:d5:
         72:cd:ba:21:a1:98:0c:95:c5:f2:df:c4:c8:f6:4f:b3:6a:10:
         f7:46:d3:f2:c9:19:c5:91:78:88:f8:39:85:15:f7:cf:aa:83:
         69:f2:ab:1c:e8:64:94:90:75:77:ae:8f:3b:53:c8:8e:6d:2e:
         41:fd

thanks
Gordon Chalmers
Kestral Computing
Prev by Date: FW: vir
Next by Date: Re: Any Happy user with a 8233A Sound card ?
Prev by thread: FW: vir
Next by thread: Re: isakmpd and reading x509 certs
Index(es):
- Date
- Thread