Anything special to apply a server cert by CSR for eap-tls?

luckydog xf luckydogxf at gmail.com
Fri Dec 14 11:57:42 CET 2018


1. maybe I didn't choose the right cert template, 'RAS and IAS server
template' is used for windows NPS.  Hard to say.
2. I'll try to use 'RAS and IAS server temp' and create a cert and export
it, then check what  does it  require by view it on windows, or openssl
x509 on Linux.


On Fri, Dec 14, 2018 at 6:34 PM luckydog xf <luckydogxf at gmail.com> wrote:

> The exact error msg is '  the request does not contain a certificate
> template extension or the Certificate Template request attribute.'
> I used make server.csr to generate CSR, and choose RAS and IAS Server
> template which used by NPS of windows, including EKU of 1.3.6.1.5.5.7.3.1.
>
> So I guess some new attribute is added by MS server 2016 CA, which  makes
> CSR created by `make server.csr` isn't  compatible with it.
>
> Find out a way to export CA of MS CA and sign with it in
> http://lists.freeradius.org/pipermail/freeradius-users/2006-October/013613.html
> Will try it next week.
>
> A quick question, is it possible to not use password for client cert ? So
> I'll use Group policy and deploy it on all domain computers.
> All users share the same cert,  is is best practice?
>
> Thanks.
>
> On Fri, Dec 14, 2018 at 5:50 PM Matthew Newton <mcn at freeradius.org> wrote:
>
>> On Fri, 2018-12-14 at 17:33 +0800, luckydog xf wrote:
>> >    Sorry to trouble you again, I create server.csr by make
>> > server.csr, when
>> > I apply a cert by server.csr created by 'make server.csr', MS
>> > Certificiate
>> > Authority said cannot find cert template for my csr.
>>
>> You need to ask whoever runs your CA what that means.
>>
>> The 'Makefile' in the certs dir will use openssl to generate working
>> certificates. It's plain text, so you can see what commands it runs.
>>
>> >    So does anyone have expericenced this and offer me a little help?
>>
>> Make sure the certificates you use have the TLS Web Server
>> Authentication and TLS Web Client Authentication OIDs in them. What
>> method you use to do that doesn't really matter. The CA should be able
>> to add it.
>>
>> --
>> Matthew
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
>


More information about the Freeradius-Users mailing list