certificate client.* non valid on windows XP

Sergio sergioyebenes at alumnos.upm.es
Sun Jul 13 18:59:38 CEST 2008


Reveal MAP escribió:
> Thank you Sergio for your answer.
>
>
> - windows says too that one of the certificate authority seems to not 
> be able to deliver certificate or can't be used as final entity...
> so, I tried what you said:  install Server.p12 as intermediate CAr, 
> without resolving the problem.
>
> i will try to make my own certs and see. thanks!
>
> -----
>
> > 
> I had the same problem. The fact is that server is an intermediate
> authotity and, using internet explorer, you need to install server.p12
> into intermediate trusted ca containeer. Also check validity period
> (begining date). I had to change windows date to next day, but I don't
> remember why. Finally I made my own ca because default radius PKI was
> confusing me, and I used mi ca private key to sign client.*
> I hope that this help you.
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>
> ----- Message d'origine ----
> De : Sergio <sergioyebenes at alumnos.upm.es>
> À : FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Envoyé le : Dimanche, 13 Juillet 2008, 16h09mn 34s
> Objet : Re: certificate client.* non valid on windows XP
>
> Reveal MAP escribió:
> > hi,
> >
> > I use freeradius 2.0.5 and openSUSE 10.3
> >
> > i ran "bootstrap" script + "make client.pem", "make.client.p12",
> > - I imported "ca.der" on my xp laptop, located at the CA Authorithy
> > containeer.
> > I imported server.p12 too (just to verify the signature) and
> > everything is Ok
> > - But when i import client.p12, windows says me this certificated is 
> > not valid! and i dont know why.
> >
> > I executed two commands: server.vrfy and client.vrfy, hoping their
> > output (below) could help.
> >
> >
> > Thank you for helping
> > 
> -------------------------------------------------------------------------------------------------
> > linux:/etc/raddb/certs # make server.vrfy
> > openssl verify -CAfile ca.pem server.pem
> > server.pem: OK
> >
> >
> > make client.vrfy
> > openssl pkcs12 -export -in server.crt -inkey server.key -out
> > server.p12  -passin pass:`grep output_password server.cnf | sed
> > 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf |
> > sed 's/.*=//;s/^ *//'`
> > openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep
> > output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout
> > pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'`
> > MAC verified OK
> > openssl pkcs12 -export -in client.crt -inkey client.key -out
> > client.p12  -passin pass:`grep output_password client.cnf | sed
> > 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf |
> > sed 's/.*=//;s/^ *//'`
> > openssl pkcs12 -in client.p12 -out client.pem -passin pass:`grep
> > output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout
> > pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'`
> > MAC verified OK
> > cp client.pem `grep emailAddress client.cnf | grep '@' | sed
> > 's/.*=//;s/^ *//'`.pem
> > c_rehash .
> > Doing .
> > 02.pem => eee97f35.0
> > WARNING: Skipping duplicate certificate user at example.com.pem 
> <mailto:user at example.com.pem>
> > client.pem => 583a9f4b.0
> > 01.pem => dcd1729a.0
> > WARNING: Skipping duplicate certificate user2 at example.com.pem 
> <mailto:user2 at example.com.pem>
> > server.pem => dcd1729a.1
> > WARNING: Skipping duplicate certificate 03.pem
> > WARNING: Skipping duplicate certificate 04.pem
> > ca.pem => 23537b55.0
> > openssl verify -CApath . client.pem
> > client.pem: OK
> >
> > ------------------------------------------------------------------------
> > Envoyé avec Yahoo! Mail
> > 
> <http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html>.
> > Une boite mail plus intelligente.
> >
> > __________ Informaci�n de NOD32, revisi�n 3263 (20080711) __________
> >
> > Este mensaje ha sido analizado con NOD32 antivirus system
> > http://www.nod32.com
> > ------------------------------------------------------------------------
> >
> > -
> > List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> >
> >
> > __________ Información de NOD32, revisión 3263 (20080711) __________
> >
> > Este mensaje ha sido analizado con NOD32 antivirus system
> > http://www.nod32.com
>
>
> ------------------------------------------------------------------------
> Envoyé avec Yahoo! Mail 
> <http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html>.
> Une boite mail plus intelligente.
>
> __________ Informaci�n de NOD32, revisi�n 3263 (20080711) __________
>
> Este mensaje ha sido analizado con NOD32 antivirus system
> http://www.nod32.com
> ------------------------------------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
> __________ Información de NOD32, revisión 3263 (20080711) __________
>
> Este mensaje ha sido analizado con NOD32 antivirus system
> http://www.nod32.com
>   
Try to install server.cer, not server.p12 into intermediate containeer. 
open client cert with IE and see certification route. If you can see the 
3 level route but client cert isn't ok, check dates. I'm sure this works.



More information about the Freeradius-Users mailing list