[RADIATOR] Can't get chain certificates to work

Stephen A. Felicetti stephen.felicetti at fccc.edu
Thu Nov 4 13:59:53 CDT 2010


Thanks for the response. But, I continue to get the "X509_check_private_key:key values mismatch" anytime I use the certificatechain configuration line. I've tried many combinations of certificates in the file, with all the same results.


On Nov 4, 2010, at 12:50 PM, Andrew D. Clark wrote:

I had trouble getting this to work as well.  The problem turned out to be the
order of certificates in the chain.  They usually come, from top to bottom in
the file, root CA, signing CA, your cert.  It looks like the way Radiator
wants it is your cert, followed by the signing CA.  Try reversing the order of
certs in your file and see if it works. 

--
Andrew Clark

On Thursday, November 04, 2010 07:30:42 am Stephen A. Felicetti wrote:
> Hello,
>
> I'm currently running Radiator 4.7 on SUSE linux with OpenSSL 0.9.8h.
> I've had this running for years without any problems (albeit different
> versions). Now that I have to begin using Chain Certificates with my CA,
> I'm stuck. I know for a fact that the my private key and server
> certificate share the same modulus and exponent. The private key also
> works fine. I was also given all the correct CA and Chain certificates
> from Thawte, so I'm confident I'm OK there. The certificates work fine
> when installed on a Cisco ACS server.
> I also tried another set of certificates from Entrust, and received the
> same exact errors. The only way I can get this configuration to work with
> the new certificates is to use configuration #1, and not have the wireless
> client validate the server cert. Obviously, not a solution.
>
> Any help or suggestions are greatly appreciated.
>
> Configuration #1:
>
>  EAPType TTLS
>  EAPTLS_CertificateType PEM
>  EAPTLS_CAFile %D/certificates/cert/thawte.Premium.Root.CA.pem
>  #EAPTLS_CertificateChainFile %D/certificates/cert/thawte.SSL123bundle.pem
>  [disabled] EAPTLS_CertificateFile %D/certificates/cert/wirelesscert.pem
>   EAPTLS_PrivateKeyFile %D/certificates/cert/thawtekey.pem
>   EAPTLS_PrivateKeyPassword xxxx
>
> I get this error, which I would expect to receive without a chain cert in
> the configuration and the client wanting to validate the server cert.
>
> Tue Nov  2 12:02:35 2010: DEBUG: EAP TTLS SSL_accept result: 0, 1, 8576
> Tue Nov  2 12:02:35 2010: DEBUG: EAP result: 1, EAP TTLS Handshake
> unsuccessful:  23668: 1 - error:14094418:SSL
> routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Tue Nov  2 12:02:35 2010:
> DEBUG: AuthBy FILE result: REJECT, EAP TTLS Handshake unsuccessful:
> 23668: 1 - error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
> ca Tue Nov  2 12:02:35 2010: INFO: Access rejected for tsd7notebook: EAP
> TTLS Handshake unsuccessful:  23668: 1 - error:14094418:SSL
> routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
>
>
>
> Configuration #2:
>
> EAPType TTLS
> EAPTLS_CertificateType PEM
> EAPTLS_CAFile %D/certificates/cert/thawte.Premium.Root.CA.pem
> EAPTLS_CertificateChainFile %D/certificates/cert/thawte.SSL123bundle.pem
> [enabled] EAPTLS_CertificateFile %D/certificates/cert/wirelesscert.pem
> EAPTLS_PrivateKeyFile %D/certificates/cert/thawtekey.pem
> EAPTLS_PrivateKeyPassword xxxx
>
> I get this error:
>
> Tue Nov  2 12:03:58 2010: ERR: TLS could not use_PrivateKey_file
> %D/certificates/cert/thawtekey.pem, 1:  23681: 1 - error:0B080074:x509
> certificate routines:X509_check_private_key:key values mismatch
>
>
> Thanks,
> Steve
>
> Stephen A Felicetti
> Fox Chase Cancer Center
> Director, Information Security
> stephen.felicetti at fccc.edu
> 215-728-2956


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20101104/e3278f9a/attachment.html 


More information about the radiator mailing list