[EAP-TLS Windows 7] Problem with chain certificate on the client side

jinx_20 gabriel_skupien at o2.pl
Mon Apr 30 14:18:35 CEST 2012

I think I found a reason. In the root and sub CA certificates there was
*Extended Key Usage* set to "OCSP Signing" what limited using of any user
certificate issued by those CAs to "OCSP Signing" purpose.
/ Extended Key Usage 
   This extension indicates one or more purposes for which the certified
   public key may be used, in addition to or in place of the basic
   purposes indicated in the key usage extension.  In general, this
   extension will appear only in end entity certificates. [RFC 5280]/

After removing EKU OIDs from CA certificate everything works fine.

But I sill cannot understand why FR allowed to connect when I had removed
Sub2_CA certificate from cert store. 


View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-TLS-Windows-7-Problem-with-chain-certificate-on-the-client-side-tp5664334p5675822.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

More information about the Freeradius-Users mailing list