client certs

tnt at kalik.net tnt at kalik.net
Thu Dec 11 01:13:24 CET 2008


>freeradius-2.1.1-2 (rebuild SRPM from Fedora on CentOS 5)
>
>followed instructions in certs/README perfectly - so I believe.
>
>server certs seem fine but generated client cert in Windows shows
>"Windows does not have enough information to verify" and yes, I have
>loaded the 'ca.der' file generated by the instructions on the Windows
>client and that installs in 'Trusted Root Authorities'. The 'client'
>cert seems to install in 'Other People', and does include the
>XPextensions stuff.
>
>So I'm trying to verify the client certificate...
>
># openssl verify -CAfile ca.pem spare\@myorg.com.pem
>spare at myorg.com.pem: /C=US/ST=Arizona/O=MyOrg/CN=spare at myorg.com/emailAddress=spare at myorg.com
>error 20 at 0 depth lookup:unable to get local issuer certificate
>
>so I figured I would try to verify it against the server file...
># openssl verify -CAfile server.pem spare\@myorg.com.pem
>spare at myorg.com.pem: /C=US/ST=Arizona/O=MyOrg/CN=Radius Server
>Certificate/emailAddress=craig at myorg.com
>error 2 at 1 depth lookup:unable to get issuer certificate
>
>but indeed the server file verifies...
>
># openssl verify -CAfile ca.pem server.crt
>server.crt: OK
>
># openssl verify -CAfile ca.pem server.pem
>server.pem: OK
>
>This would seem pretty simple (the directions make it seem simple)
>edited client.cnf
>changed input/output password values to the same, simple value
>changed the e-mail address and cn to the same value as shown above
>
>What am I doing wrong?
>

Try attached Makefile. It has been altered so client certificates are
signed by the ca and not server certificate. I was unable to
"persuade" up-to-date Windows PCs to accept server certificate as an
Intermediate CA. Changing the issuer resolved the problem.

Ivan Kalik
Kalik Informatika ISP
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Makefile
Type: application/octet-stream
Size: 4540 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20081211/29a9c36e/attachment.obj>


More information about the Freeradius-Users mailing list