client certs

Craig White craigwhite at azapple.com
Thu Dec 11 03:17:07 CET 2008


On Wed, 2008-12-10 at 19:51 -0500, Jason Wittlin-Cohen wrote:
> Craig,
> 
> Apparently Windows automatically sends non-CA certificates in DER or
> PEM format to the "Other People' certificate store. More importantly,
> the wireless supplicant in Windows XP \will not work with PEM or DER
> formatted client certificates. It'll complain that you have no
> certificate. You must convert to pkcs12 as the documentation states.
> 
> openssl pkcs12 -export -in certname.pem \
> -inkey keyname.key -out name.p12 -clcerts
----
Jason

Thanks for the help. Last week when I was generating certificates my own
way, I was doing that and yes, as Ivan points out, the 'scripted' way
that make client.pem does make the p12 cert for the client.

My issue now - and obviously sh*t happens as I change things around is
that with the certificates newly generated and radiusd restarted in
'debug' mode, the newly minted ca.der and client.p12 certificates
installed in their proper homes in 'certificates'

following the instructions here...
http://wiki.freeradius.org/WPA_HOWTO#Step_4:_Configure_the_Client

I 'repair' or 'refresh' Network Connection (obviously the repair is for
the Wireless) and it hems/haws and finally says Authentication failed
but the wireless AP never makes an effort to connect to the radius
server. Just rebooted the laptop and checked for stale info in regedit
HKCU\Software\Microsoft\EAPOL (none)

This AP has been talking to the radius server for weeks now (and all day
today) and authenticating Macintosh and iPhone clients but Windows is
making me absolutely nuts. The radius server is also authenticating for
my RRAS server on a Windows server on the LAN...my only issue has been
Windows laptops  ;-(

At least earlier with my otherwise generated certificates, I could get
through the AP and to the radius server but now...it's like no one is
home. The Wireless AP does show my connection but that's it.

I'm very frustrated

Craig




More information about the Freeradius-Users mailing list