Server certificate confusion
nick at howitts.co.uk
Wed Apr 18 11:40:06 CEST 2018
On 17/04/2018 14:35, Nick Howitt wrote:
> On 17/04/2018 13:55, Alan DeKok wrote:
>> On Apr 17, 2018, at 5:24 AM, Nick Howitt <nick at howitts.co.uk> wrote:
>>> Replying to my own post.
>>> There was a permission problem which I've now fixed, but I still get
>>> (6) eap_tls: ERROR: SSL says error 26 : unsupported certificate
>> That means that the certificate hierarchy is wrong. i.e. cert A
>> has created cert B, but cert A doesn't have OIDs which say it's
>> allowed to create sub-certificates.
>> Newer versions of OpenSSL check these settings. Older versions of
>> OpenSSL didn't do that.
>> How did you create the certificates? The scripts in the
>> raddb/certs directory should work, so using those would probably help.
>> Alan DeKok.
>> List info/subscribe/unsubscribe? See
> Thanks for the reply. The distro, ClearOS is working in a slightly
> funny way. The CA is created from (adjusted expanding the variables
> with the config file):
> openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep
> default_days /etc/raddb/certs/ca.cnf | sed 's/.*=//;s/^ *//'` -config
> It is a little tortuous with how it gets here, but it is using the
> default ca.cnf file using freeradius-3.0.13-8.el7_4.x86_64. Checking
> the generated CA, I see:
> X509v3 Basic Constraints: critical
> List info/subscribe/unsubscribe? See
I've reverted the set up to use the standard Freeradius certs and I've
been through the certs README, deleting all certificates and recreating
the ca.pem and server certs (btw I think the order in the README is
wrong as you need to create the server.csr before the server.pem) and
I've hit the same "(6) eap_tls: ERROR: SSL says error 26 : unsupported
certificate purpose" issue when running eapol_test with the new certs.
If I remove the "-extensions xpserver_ext -extfile xpextensions" from
the makefile and recreate the server.pem, the eapol_test passes but
presumably the certs will be rejected by M$ Windows.
More information about the Freeradius-Users