Thanks Artur,
Well, I didn't find any expiration date in my CA.root script.
In openssl.cnf I have:
default_days = 365 # how long to certify for
default_crl_days= 365
These only seem to affect the 'user' certs - gives them one year lifetime.

Using the script in http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm

This is the script CA.root I am using.
---snipsnip---
#!/bin/sh/
SSL=/usr/local/openssl-certgen
export PATH=${SSL}/bin/:${SSL}/ssl/misc:${PATH}
export LD_LIBRARY_PATH=${SSL}/lib
# needed if you need to start from scratch otherwise the CA.pl -newca
command doesn't copy the new
# private key into the CA directories
rm -rf demoCA
echo
"*********************************************************************************"
echo "Creating self-signed private key and certificate"
echo "When prompted override the default value for the Common Name field"
echo
"*********************************************************************************"
echo
# Generate a new self-signed certificate.
# After invocation, newreq.pem will contain a private key and certificate
# newreq.pem will be used in the next step
openssl req -new -x509 -keyout newreq.pem -out newreq.pem -passin
pass:whatever -passout pass:whatever
echo
"*********************************************************************************"
echo "Creating a new CA hierarchy (used later by the "ca" command) with
the certificate"
echo "and private key created in the last step"
echo
"*********************************************************************************"
echo
echo "newreq.pem" | CA.pl -newca >/dev/null
echo
"*********************************************************************************"
echo "Creating ROOT CA"
echo
"*********************************************************************************"
echo
# Create a PKCS#12 file, using the previously created CA certificate/key
# The certificate in demoCA/cacert.pem is the same as in newreq.pem.
Instead of
# using "-in demoCA/cacert.pem" we could have used "-in newreq.pem" and
then omitted
# the "-inkey newreq.pem" because newreq.pem contains both the private
key and certificate
openssl pkcs12 -export -in demoCA/cacert.pem -inkey newreq.pem -out
root.p12 -cacerts -passin pass:whatever -passout pass:whatever
# parse the PKCS#12 file just created and produce a PEM format
certificate and key in root.pem
openssl pkcs12 -in root.p12 -out root.pem -passin pass:whatever -passout
pass:whatever
# Convert root certificate from PEM format to DER format
openssl x509 -inform PEM -outform DER -in root.pem -out root.der
#Clean Up
rm -rf newreq.pem
---snipsnip---

This script creates my 'root.der' file, which I store on the wifi clients.
AFAIK I have three types of certs, which I need:
filename location script-file
root.pem radius-server:/etc/1x CA.root
root.der user-host #created above - derived
server.pem radius-server:/etc/1x CA.svr <radius-server>
user.p12 user-host CA.clt <username>

So, server.pem has the hostname "in it"...

Rather than fixing the way I did it... what about showing me the right
way to do it
Copying / modifying / creating the appropriate certs for a backup radius
server.
As you can see, I am a bit lost there...
Thanks a lot for your help!

Tom
--
Thomas Maenner
E-Mail: mailto:***@aehr.com





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Thanks Artur,

hopefully, you can help me with a couple of things here:

When the 'root' certificate runs out, what should / can I do?
- it looks like I can not extend it's lifetime?
- will a re-creation invalid the client certificates? Does a
distribution of the root.der file have to be "safe"?

Thanks everybody for your advise!

Tom
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Hi,

you were so right... and I am so blind...
Just changed the openssl req call in my CA.root script into:

---snipsnip---
openssl req -new -x509 -keyout newreq.pem -out newreq.pem -passin
pass:xxx -passout pass:xxx-days 3650
---snipsnip---

Seems to work now.

Thanks for your help!

Tom



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html