[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] URGENT: Help with SSL keys

  • Subject: [Openvpn-users] URGENT: Help with SSL keys
  • From: SNMP walker <snmpwalker@xxxxxxxxx>
  • Date: Mon, 21 Mar 2005 14:02:12 +0000 (GMT)

I am working on Redhat 7.2 Kernel 2.4.7-10 with OpenVPN 1.6 installed as Server.
We tried Using WinXP clients and were succesfully able to run a VPN configuration using SHARED STATIC KEYS.
Now I am tryin to add SSL PKI (public Key Infrastructure) using the concept of public/private keys .
I am adhering to the following steps from the OPENVPN manual on their site:

First edit the /usr/share/ssl/openssl.cnf file (this file may exist in a different place, so use locate openssl.cnf to find it).

You may want to make some changes to this file:

  • Make a directory to serve as your key working area and change dir to point to it.
  • Consider increasing default_days so your VPN doesn't mysteriously stop working after exactly one year.
  • Set certificate and private_key to point to your master certificate authority certificate and private key files which we will presently generate. In the examples below, we will assume that your certificate authority certificate is named my-ca.crt and your certificate authority private key is named my-ca.key.
  • Note the files index.txt and serial. Initialize index.txt to be empty and serial to contain an initial serial number such as 01.
  • If you are paranoid about key sizes, increase default_bits to 2048. OpenVPN will have no problem handling a 2048 bit RSA key if you have built OpenVPN with pthread support, to enable background processing of RSA keys. You can still use large keys even without pthread support, but you will see some latency degradation on the tunnel during SSL/TLS key negotiations. For a good article on choosing an RSA key size, see the April 2002 issue of Bruce Schneier's Crypto-Gram Newsletter.

After openssl.cnf has been edited, create your master certificate authority certificate/private-key pair:

openssl req -nodes -new -x509 -keyout my-ca.key -out my-ca.crt -days 3650

This will create a master certificate authority certificate/private-key pair valid for 10 years.

Now create certificate/private-key pairs for both Home and Office. When prompted for the common name, make sure to use a different name for Home and Office.

openssl req -nodes -new -keyout office.key -out office.csr
openssl ca -out office.crt -in office.csr
openssl req -nodes -new -keyout home.key -out home.csr
openssl ca -out home.crt -in home.csr

Now copy home.crt, home.key, and my-ca.crt to Home over a secure channel, though actually only .key files should be considered non-public.

Now create Diffie Hellman parameters on Office with the following command:

openssl dhparam -out dh1024.pem 1024
Now when I try to run openvpn --config tls-office.conf
I get the following errors:
Cannot Load private key file office.key: error: 0B08074:x509 certificate routines:X509_check_private_key:key values mismatch.
Why am I running into this error when i'm tryin to adhere to the manual?
I tried numerous times.
Also I checked on THAWTE.COM since they had a solution for this problem :
Solution Title:   Error: ''OpenSSL:error:0B080074:x509 certificate routines:x509_check_private_key:key values mismatch'' Due to using the incorrect certificate or private key

Error: "OpenSSL:error:0B080074:x509 certificate routines:x509_check_private_key:key values mismatch"
Error:x509_check_private_key:key values mismatch
Error says certificate and key are not matching
Error states the key is a mismatch
Error occurs during installation

This error message occurs if you are using the incorrect certificate or private key during installation.

Your private key contains a series of numbers. Two of those numbers form the "public key", the others are part of your "private key" they are a unique pair. The "public key" bits are embedded in your certificate, we get them from your CSR. So you need to use the matching key and certificate files. To check that the public key in your certificate matches the public portion of your private key, view both files, and compare the modulus values with the following instructions:

To view the certificate:
openssl x509 -noout -text -in certfile

To view the key:
openssl rsa -noout -text -in keyfile

The "modulus" and "public exponent" portions in the key and the certificate must match exactly.

If the modulus do not match exactly then you are using either the incorrect private key or certificate.

But my problem is that when I checked both office.crt and office.key , the modules match in both files but the exponent part in office.crt is missing.
Why is such a faulty crt being generated ? (If it is faulty at all)
How can I help the situation?
 I need to get things working .
I am using OpenSSL version 0.9.6b [engine] 9 Jul 2001
Pls Help.
Sunny Gaurav Bharel
Linux Systems Administrator
HCL Infinet Ltd.

Yahoo! India Matrimony: Find your life partner online.