Anything special to apply a server cert by CSR for eap-tls?
luckydog xf
luckydogxf at gmail.com
Fri Dec 14 11:34:23 CET 2018
The exact error msg is ' the request does not contain a certificate
template extension or the Certificate Template request attribute.'
I used make server.csr to generate CSR, and choose RAS and IAS Server
template which used by NPS of windows, including EKU of 1.3.6.1.5.5.7.3.1.
So I guess some new attribute is added by MS server 2016 CA, which makes
CSR created by `make server.csr` isn't compatible with it.
Find out a way to export CA of MS CA and sign with it in
http://lists.freeradius.org/pipermail/freeradius-users/2006-October/013613.html
Will try it next week.
A quick question, is it possible to not use password for client cert ? So
I'll use Group policy and deploy it on all domain computers.
All users share the same cert, is is best practice?
Thanks.
On Fri, Dec 14, 2018 at 5:50 PM Matthew Newton <mcn at freeradius.org> wrote:
> On Fri, 2018-12-14 at 17:33 +0800, luckydog xf wrote:
> > Sorry to trouble you again, I create server.csr by make
> > server.csr, when
> > I apply a cert by server.csr created by 'make server.csr', MS
> > Certificiate
> > Authority said cannot find cert template for my csr.
>
> You need to ask whoever runs your CA what that means.
>
> The 'Makefile' in the certs dir will use openssl to generate working
> certificates. It's plain text, so you can see what commands it runs.
>
> > So does anyone have expericenced this and offer me a little help?
>
> Make sure the certificates you use have the TLS Web Server
> Authentication and TLS Web Client Authentication OIDs in them. What
> method you use to do that doesn't really matter. The CA should be able
> to add it.
>
> --
> Matthew
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list