eaptls certificate question
Norbert Wegener
nw at sbs.de
Tue Feb 14 09:17:20 CET 2006
Jorgen Rosink wrote:
>On 2/13/06, Norbert Wegener <nw at sbs.de> wrote:
>
>
>>> Alan DeKok wrote:
>>> 1.0.x doesn't support certificate chains. 1.1.0 does.
>>>
>>>
>>>
>>>
>>hm:
>>Script started on Mon Feb 13 19:34:45 2006
>>
>>lnxad:/etc # radiusd -v
>>radiusd: FreeRADIUS Version 1.1.0, for host , built on Feb 13 2006 at 19:31:10
>>
>>
>
>Did have the same issue like you last week, Alan pointed me to the
>required extensions needed in the certificates to use with FreeRadius.
>
>[ xpclient_ext]
>extendedKeyUsage = 1.3.6.1.5.5.7.3.2
>[ xpserver_ext ]
>extendedKeyUsage = 1.3.6.1.5.5.7.3.1
>
>In my case these extensions where missing in the certificate I got,
>did you check yours ?
>
>
Thanks, but this seems not to be the problem. Those exensions exist in
the certificate.
At least I am able to see them, when importing the certificate into windows:
Serverauthentication(1.3.6.1.5.5.7.3.1)
Clientauthentication(1.3.6.1.5.5.7.3.2)
Ip-security-IKE,intermediate(1.3.6.1.5.5.8.2.2)
and the same certificate with openssl shows me:
...
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment
1.3.6.1.4.1.311.21.7:
0,.$+.....7...........$... at ...n5...=......d...
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client
Authentication, 1.3.6.1.5.5.8.2.2
1.3.6.1.4.1.311.21.10:
That should be sufficient, correct?
So maybe there is another reason for that problem?
Norbert Wegener
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
More information about the Freeradius-Users
mailing list