Win XP with 802.1x PEAP (EAP-MSCHAP V2)

Marc Charbonneau MCharbonneau at
Fri Apr 27 18:59:21 CEST 2007

Hi, it looks like I used a certificate with the wrong OID.  I used a
cert minted with their "SubCA" template which doesn't have the (OID
In "playing" with the Microsoft CA on Windows 2003 server, I've found
that the Certificate made using the "Web Server" template is the one
required.  Unfortunately, this particular template doesn't allow the
Certificate's keys to be exported.  I tried creating a new Certificate
template by copying from the one called "Web Server" and now, I have a
new "Web Server" template with the ability to export it's keys.  The
problem is I can't seem to make use of this new template within their
I know this is a Microsoft issue but I've looked high and low in their
docs and when you go to their CA and try to select "Certificate Template
to Issue", the new template created are not available.  I'm a little
obsessed with making this work so I'm hoping someone here a quick answer
to making Microsoft's CA allow me to mint a Web Server certificate with
exportable keys.
Thanks for any future and previous help,

>>> karlsen-masur at 4/27/2007 4:11:58 AM >>>


A.L.M.Buxey at wrote:
> either use your current tool but include the XP extensions as

Just to be precise. The named extensions are PKIX extensions for
(OID (at the RADIUS server) and clientAuth (OID (for EAP-TLS on the supplicant).

Also if a client certificate is used on Windows with EAP-TLS the
extendedKeyUsage "Microsoft SmartCard Logon" (OID
*must not* be present because Windows won't be able to use/choose such
client certificate to authenticate at the RADIUS server.

It is only Windows that is looking at these extededKeyUsages in the
certificate and expecting the correct extensions here.

Beste Gruesse / Kind Regards

Reimer Karlsen-Masur

Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615
DFN-CERT Services GmbH,, Phone +49 40
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list