Re: [Users] Certificate rejected

From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Tue Oct 15 2002 - 20:20:50 CEST

If you send me both the gandalf and the CA certificate
I could tell you what is wrong with them.

Since you import the gandalf peer certificate locally using

   leftcert=gandalf.innovaman.pem

trust is put directly into the host certificate. The
corresponding CA certificate is therefore not required.
This is the reason that the connection is established
although the certificate received via IKE could not
be verified successfully.

Regards

Andreas

Josep Llauradó Selvas wrote:
> Hello all,
>
> I have a VPN connection between two FreeS/SWAN systems and all runs well.
> I'm using x509 certificates using the same CA to authorize them.
>
> I have created a CA and two certificates signed by the CA, and I say that
> the connection only can be from gandalf to r2d2 (my freeswan boxes). The
> tunnel runs well (I hope) but I get a lot of messages of error:
>
> ------------------------------8<---------------------
> 192.168.128.1 #597: Issuer CRL not found
> 192.168.128.1 #597: Issuer CA certificate not found
> 192.168.128.1 #597: X.509 certificate rejected
> 192.168.128.1 #597: sent MR3, ISAKMP SA established
> 192.168.128.1 #598: responding to Main Mode from unknown peer 192.168.128.1
> 192.168.128.1 #598: Peer ID is ID_DER_ASN1_DN: 'C=ES, ST=Tarragona, O=Innova Grup Empreses
> Municipals, OU=InnovaMAN, CN=r2d2.innovaman'
> ------------------------------8<---------------------
>
> When I try to use openssl -verify using one of this certificates I get the
> next message:
> ------------------------------8<---------------------
> aragorn:/etc/ssl/INNOVA#
> openssl verify -CAfile ca.crt
> certs/gandalf.innovaman.pem: /C=ES/ST=Tarragona/L=Reus/O=Innova Grup
> Empreses Municipals/OU=Innova Autoritat Certificadora/CN=Innova Autoritat
> Certificadora/Email=certadmin_at_innovaman
> error 2 at 1 depth lookup:unable to get issuer certificate
> ------------------------------8<---------------------
> It seems that I have a problem with the certificates, but what I'm doing
> wrong? and why the connection is stablished if the certificates are wrong?
>
> The config of the connections follow:
> ------------------------------8<---------------------
> conn %default
> keyingtries=0
> authby=rsasig
> # My side is right - r2d2
> right=192.168.128.1
> rightcert=r2d2.innovaman.pem
> rightsubnet=192.168.1.0/24
> auto=add
>
> conn innova-gaia
> left=192.168.128.2
> leftcert=gandalf.innovaman.pem
> leftsubnet=192.168.63.0/24
> auto=start
> ------------------------------8<---------------------
>
> TIA
>
> _________________________________________________________
> Josep Llauradó Selvas darlock_at_tinet.org
> Linux Registered User #153481
> The only "intuitive" interface is the nipple.
> After that, it's all learned.
> (in comp.os.linux.misc, on X interfaces.)
> _________________________________________________________
>
>
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users 

-- 
======================================================================
Andreas Steffen                 e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH                  phone:  +41 76 340 25 56
Alter Zürichweg 20              home:   http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.5 : Wed Oct 16 2002 - 05:20:23 CEST