certificate client.* non valid on windows XP

Reveal MAP revealmapp at yahoo.fr
Sat Jul 12 18:41:22 CEST 2008 

Thank you Sergio for your answer.


- windows says too that one of the certificate authority seems to not
be able to deliver certificate or can't be used as final entity...
so, I tried what you said:  install Server.p12 as intermediate CAr, without resolving the problem.

i will try to make my own certs and see. thanks!

-----

>  
I had the same problem. The fact is that server is an intermediate 
authotity and, using internet explorer, you need to install server.p12 
into intermediate trusted ca containeer. Also check validity period 
(begining date). I had to change windows date to next day, but I don't 
remember why. Finally I made my own ca because default radius PKI was 
confusing me, and I used mi ca private key to sign client.*
I hope that this help you.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



----- Message d'origine ----
De : Sergio <sergioyebenes at alumnos.upm.es>
À : FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Envoyé le : Dimanche, 13 Juillet 2008, 16h09mn 34s
Objet : Re: certificate client.* non valid on windows XP

Reveal MAP escribió:
> hi,
>
> I use freeradius 2.0.5 and openSUSE 10.3
>
> i ran "bootstrap" script + "make client.pem", "make.client.p12",
> - I imported "ca.der" on my xp laptop, located at the CA Authorithy 
> containeer.
> I imported server.p12 too (just to verify the signature) and 
> everything is Ok
> - But when i import client.p12, windows says me this certificated is  
> not valid! and i dont know why.
>
> I executed two commands: server.vrfy and client.vrfy, hoping their 
> output (below) could help.
>
>
> Thank you for helping
> -------------------------------------------------------------------------------------------------
> linux:/etc/raddb/certs # make server.vrfy
> openssl verify -CAfile ca.pem server.pem
> server.pem: OK
>
>
> make client.vrfy
> openssl pkcs12 -export -in server.crt -inkey server.key -out 
> server.p12  -passin pass:`grep output_password server.cnf | sed 
> 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | 
> sed 's/.*=//;s/^ *//'`
> openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep 
> output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout 
> pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'`
> MAC verified OK
> openssl pkcs12 -export -in client.crt -inkey client.key -out 
> client.p12  -passin pass:`grep output_password client.cnf | sed 
> 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf | 
> sed 's/.*=//;s/^ *//'`
> openssl pkcs12 -in client.p12 -out client.pem -passin pass:`grep 
> output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout 
> pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'`
> MAC verified OK
> cp client.pem `grep emailAddress client.cnf | grep '@' | sed 
> 's/.*=//;s/^ *//'`.pem
> c_rehash .
> Doing .
> 02.pem => eee97f35.0
> WARNING: Skipping duplicate certificate user at example.com.pem
> client.pem => 583a9f4b.0
> 01.pem => dcd1729a.0
> WARNING: Skipping duplicate certificate user2 at example.com.pem
> server.pem => dcd1729a.1
> WARNING: Skipping duplicate certificate 03.pem
> WARNING: Skipping duplicate certificate 04.pem
> ca.pem => 23537b55.0
> openssl verify -CApath . client.pem
> client.pem: OK
>
> ------------------------------------------------------------------------
> Envoyé avec Yahoo! Mail 
> <http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html>.
> Une boite mail plus intelligente.
>
> __________ Informaci�n de NOD32, revisi�n 3263 (20080711) __________
>
> Este mensaje ha sido analizado con NOD32 antivirus system
> http://www.nod32.com
> ------------------------------------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
> __________ Información de NOD32, revisión 3263 (20080711) __________
>
> Este mensaje ha sido analizado con NOD32 antivirus system
> http://www.nod32.com


      _____________________________________________________________________________ 
Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080712/2e03321c/attachment.html>

More information about the Freeradius-Users mailing list