AD with PKI authentication - issue on cert generation

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

AD with PKI authentication - issue on cert generation

smalldragoon

Hi,

I’m trying to install an AD with PKI auth.I’m so referring to : https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login

Let’s put aside of course Samba config ….

 

I’m now trying to generate the root CA.

Using the template in the wiki ,

 

When I try to  

openssl req -new req -new -x509 -days 3650 -sha256 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -config /etc/ssl/openssl.cnf

 

I get the following error :

 

problem creating object msSmartcardLogin=1.3.6.1.4.1.311.20.2.2

140375913190464:error:08064066:object identifier routines:OBJ_create:oid exists:../crypto/objects/obj_dat.c:698:

 

I already tried to replace

scardLogin=1.3.6.1.4.1.311.20.2.2

with

msSmartcardLogin=1.3.6.1.4.1.311.20.2.2

as I found in the thred but it doesn’t solve my issue.

I can post in SSL forum but as it is Samba specific, I’m trying here first as I guess I’m missing something basic ?

 

Please note that I do not intend to use smartcard, but ONLY certificate, if it can help

Thanks !

 

Lionel

 


Virus-free. www.avast.com
Reply | Threaded
Open this post in threaded view
|

Re: AD with PKI authentication - issue on cert generation

Matt Caswell-2


On 17/03/2020 12:33, Lionel Monchecourt wrote:

> I already tried to replace
>
> scardLogin=1.3.6.1.4.1.311.20.2.2
>
> with
>
> msSmartcardLogin=1.3.6.1.4.1.311.20.2.2

Try removing this line altogether. OpenSSL already has a built-in object
of this name with this OID so it should not be necessary.

Matt

>
> as I found in the thred but it doesn’t solve my issue.
>
> I can post in SSL forum but as it is Samba specific, I’m trying here
> first as I guess I’m missing something basic ?
>
>  
>
> Please note that I do not intend to use smartcard, but ONLY certificate,
> if it can help
>
> Thanks !
>
>  
>
> Lionel
>
>  
>
>
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
> Virus-free. www.avast.com
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
>
>
> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
Reply | Threaded
Open this post in threaded view
|

RE: AD with PKI authentication - issue on cert generation

smalldragoon
Hi Matt,
Thanks a lot,
Getting the same error for
msUPN=1.3.6.1.4.1.311.20.2.3, I removed it as well
is it by default in openssl as well ?
btw, removing these 2, I can generate my certificate without problem

-----Original Message-----
From: openssl-users [mailto:[hidden email]] On Behalf Of
Matt Caswell
Sent: 17 March 2020 14:10
To: [hidden email]
Subject: Re: AD with PKI authentication - issue on cert generation



On 17/03/2020 12:33, Lionel Monchecourt wrote:

> I already tried to replace
>
> scardLogin=1.3.6.1.4.1.311.20.2.2
>
> with
>
> msSmartcardLogin=1.3.6.1.4.1.311.20.2.2

Try removing this line altogether. OpenSSL already has a built-in object
of this name with this OID so it should not be necessary.

Matt

>
> as I found in the thred but it doesn’t solve my issue.
>
> I can post in SSL forum but as it is Samba specific, I’m trying here
> first as I guess I’m missing something basic ?
>
>  
>
> Please note that I do not intend to use smartcard, but ONLY certificate,
> if it can help
>
> Thanks !
>
>  
>
> Lionel
>
>  
>
>
>
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campai
gn=sig-email&utm_content=emailclient>
> Virus-free. www.avast.com
>
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campai
gn=sig-email&utm_content=emailclient>
>
>
> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>


--
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

Reply | Threaded
Open this post in threaded view
|

Re: AD with PKI authentication - issue on cert generation

Matt Caswell-2


On 18/03/2020 11:35, Lionel Monchecourt wrote:
> Hi Matt,
> Thanks a lot,
> Getting the same error for
> msUPN=1.3.6.1.4.1.311.20.2.3, I removed it as well
> is it by default in openssl as well ?
> btw, removing these 2, I can generate my certificate without problem

Yes - it exists so removing it should be fine.

Matt


>
> -----Original Message-----
> From: openssl-users [mailto:[hidden email]] On Behalf Of
> Matt Caswell
> Sent: 17 March 2020 14:10
> To: [hidden email]
> Subject: Re: AD with PKI authentication - issue on cert generation
>
>
>
> On 17/03/2020 12:33, Lionel Monchecourt wrote:
>
>> I already tried to replace
>>
>> scardLogin=1.3.6.1.4.1.311.20.2.2
>>
>> with
>>
>> msSmartcardLogin=1.3.6.1.4.1.311.20.2.2
>
> Try removing this line altogether. OpenSSL already has a built-in object
> of this name with this OID so it should not be necessary.
>
> Matt
>
>>
>> as I found in the thred but it doesn’t solve my issue.
>>
>> I can post in SSL forum but as it is Samba specific, I’m trying here
>> first as I guess I’m missing something basic ?
>>
>>  
>>
>> Please note that I do not intend to use smartcard, but ONLY certificate,
>> if it can help
>>
>> Thanks !
>>
>>  
>>
>> Lionel
>>
>>  
>>
>>
>>
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campai
> gn=sig-email&utm_content=emailclient>
>> Virus-free. www.avast.com
>>
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campai
> gn=sig-email&utm_content=emailclient>
>>
>>
>> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>
>
Reply | Threaded
Open this post in threaded view
|

RE: AD with PKI authentication - issue on cert generation

smalldragoon
Thanks Matt !
I will let you know if there are any issues further when I will use with the Samba AD server
Thx


-----Original Message-----
From: Matt Caswell [mailto:[hidden email]]
Sent: 18 March 2020 12:37
To: Lionel Monchecourt
Cc: [hidden email]
Subject: Re: AD with PKI authentication - issue on cert generation



On 18/03/2020 11:35, Lionel Monchecourt wrote:
> Hi Matt,
> Thanks a lot,
> Getting the same error for
> msUPN=1.3.6.1.4.1.311.20.2.3, I removed it as well
> is it by default in openssl as well ?
> btw, removing these 2, I can generate my certificate without problem

Yes - it exists so removing it should be fine.

Matt


>
> -----Original Message-----
> From: openssl-users [mailto:[hidden email]] On Behalf Of
> Matt Caswell
> Sent: 17 March 2020 14:10
> To: [hidden email]
> Subject: Re: AD with PKI authentication - issue on cert generation
>
>
>
> On 17/03/2020 12:33, Lionel Monchecourt wrote:
>
>> I already tried to replace
>>
>> scardLogin=1.3.6.1.4.1.311.20.2.2
>>
>> with
>>
>> msSmartcardLogin=1.3.6.1.4.1.311.20.2.2
>
> Try removing this line altogether. OpenSSL already has a built-in object
> of this name with this OID so it should not be necessary.
>
> Matt
>
>>
>> as I found in the thred but it doesn’t solve my issue.
>>
>> I can post in SSL forum but as it is Samba specific, I’m trying here
>> first as I guess I’m missing something basic ?
>>
>>
>>
>> Please note that I do not intend to use smartcard, but ONLY certificate,
>> if it can help
>>
>> Thanks !
>>
>>
>>
>> Lionel
>>
>>
>>
>>
>>
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campai
> gn=sig-email&utm_content=emailclient>
>> Virus-free. www.avast.com
>>
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campai
> gn=sig-email&utm_content=emailclient>
>>
>>
>> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>
>


--
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus