Re: Everything lookslike it works, but PC is not authentified
Hi Alan,
It looks like it is doing machine authentication, in which case the
Correct.
certs (both client and server) need the machine authentication OIDs,
I read that again and again, but I already have these OID in the certs.
Here a dump of my server-cert:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 40 (0x28)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=DE, ST=Berlin, L=Berlin, O=KHB HfM HfS,
OU=ServiceCenter-IT,
CN=ServiceCenter-IT_KHB_HfM_HfS/emailAddress=sc-it@kh-berlin.de
Validity
Not Before: Aug 10 09:33:43 2006 GMT
Not After : Aug 10 09:33:43 2007 GMT
Subject: C=DE, ST=Berlin, L=Berlin, O=KHB HfM HfS,
OU=ServiceCenter-IT,
CN=radius.verwaltung.kh-berlin.de/emailAddress=sc-it@kh-berlin.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (4096 bit)
Modulus (4096 bit):
[...]
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
TinyCA Generated Certificate
X509v3 Subject Key Identifier:
42:A9:4A:9F:04:88:71:B1:78:D4:1A:5D:00:A5:66:8E:78:C0:45:FF
X509v3 Authority Key Identifier:
keyid:B9:39:B6:CE:8A:52:91:2E:AE:CE:16:24:18:B1:F4:D8:30:3D:04:2E
DirName:/C=DE/ST=Berlin/L=Berlin/O=KHB HfM
HfS/OU=ServiceCenter-IT/CN=ServiceCenter-IT_KHB_HfM_HfS/emailAddress=sc-it@kh-berlin.de
serial:89:0D:6F:61:AC:0C:E0:05
X509v3 Issuer Alternative Name:
email:sc-it@kh-berlin.de
X509v3 Subject Alternative Name:
email:sc-it@kh-berlin.de
X509v3 Extended Key Usage: critical
TLS Web Server Authentication
!!!!!!!!!!!!!!
Signature Algorithm: sha1WithRSAEncryption
[...]
Isn't that exactly what it should like?
And here the client:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 42 (0x2a)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=DE, ST=Berlin, L=Berlin, O=KHB HfM HfS,
OU=ServiceCenter-IT,
CN=ServiceCenter-IT_KHB_HfM_HfS/emailAddress=sc-it@kh-berlin.de
Validity
Not Before: Sep 1 11:18:32 2006 GMT
Not After : Sep 1 11:18:32 2007 GMT
Subject: C=DE, ST=Berlin, L=Berlin, O=KHB HfM HfS,
OU=ServiceCenter-IT, CN=vinfo-t1/emailAddress=vinfo-t1-neuer@local
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (4096 bit)
Modulus (4096 bit):
[...]
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME, Object Signing
Netscape Comment:
TinyCA Generated Certificate
X509v3 Subject Key Identifier:
C0:72:0A:91:71:D9:E7:A9:73:CC:B4:B0:AD:17:B4:ED:61:AF:06:B9
X509v3 Authority Key Identifier:
keyid:B9:39:B6:CE:8A:52:91:2E:AE:CE:16:24:18:B1:F4:D8:30:3D:04:2E
DirName:/C=DE/ST=Berlin/L=Berlin/O=KHB HfM
HfS/OU=ServiceCenter-IT/CN=ServiceCenter-IT_KHB_HfM_HfS/emailAddress=sc-it@kh-berlin.de
serial:89:0D:6F:61:AC:0C:E0:05
X509v3 Issuer Alternative Name:
email:sc-it@kh-berlin.de
X509v3 Subject Alternative Name:
email:vinfo-t1-neuer@local
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage: critical
TLS Web Client Authentication
!!!!!!!!!
Signature Algorithm: sha1WithRSAEncryption
[...]
What else could be a problem? How do you guys handle the
"host/<netbiosname>" problem? Could that brake the cert?
TIA
Alex
--
ServiceCenter IT - Alexandros Gougousoudis (Leiter)
Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule
für Musik "Hanns Eisler" und der Hochschule für Schauspielkunst "Ernst
Busch".
Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445
This archive was generated by a fusion of
Pipermail (Mailman edition) and
MHonArc.