0

I am trying to use Freeradius 3.0 for authentication with certificates. To generate the CA, Server and Client certificate, make is available, reading a specific configuration file for each certificates (more information about it here).

The generated private key of the server and the client is encrypted by a password set in the configuration file.

-----BEGIN ENCRYPTED PRIVATE KEY-----
the encrypted private key ...

When i am restarting the radius service it fail, i get the following error (using freeradius -X) :

tls: Failed reading private key file "/etc/freeradius/3.0/certs/server.pem": error:0B080074:X509 certificate routines:X509_check_private_key:key values mismatch

At first i thought that the password provided for decryption in the file configuration (mods-enabled/eap and sites-enabled/tls) of Freeradius was wrong, but no.

When i am using openssl to decrypt the file, it is working like a charm.

root@debian:/etc/freeradius/3.0/certs# openssl rsa -in server.pem
Enter pass phrase for server.pem:
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
clear certificate ...

When i am opening the pem file on a gui ubuntu, the same password is not working anymore.

I dont understand why with freeradius (and with gui) the password provided dont decrypt the certificate ? The make command to generate the certificate are build by freeradius so it should work.

molik
  • 173
  • 1
  • 6
  • freeradius is NOT having any trouble decrypting the privatekey; 'key values mismatch' is a completely different problem, namely that the certificate and privatekey being used/paired are not for the same key as they should be. Note that being able to access the privatekey by itself, or the cert by itself, does not establish that they match and are valid for use together. `make` is a standard utility and I'd bet freeradius does not provide a make 'command' but rather a file _used by_ make which is called a makefile and standardly named Makefile, but I don't have time to search for it. ... – dave_thompson_085 Jun 09 '21 at 01:08
  • ... I don't know what 'gui' you are using on Ubuntu -- there are millions of possibilities -- but it may be wrong or you may be using it wrong. – dave_thompson_085 Jun 09 '21 at 01:09
  • i got it sorted, like you said, the certificate and the key were of the user where not from the same creation. I checked the checksum of the files in the server and in the client and i got a mismatch. I pulled once again both key and now it's working. Thanks ! – molik Jun 09 '21 at 14:14

0 Answers0