Anything special to apply a server cert by CSR for eap-tls?

luckydog xf luckydogxf at gmail.com
Fri Dec 14 12:02:47 CET 2018


Yes, shared cert isn't a good idea,  enterprise CA is needed.

Thanks.

On Fri, Dec 14, 2018 at 6:58 PM Matthew Newton <mcn at freeradius.org> wrote:

> On Fri, 2018-12-14 at 18:34 +0800, luckydog xf wrote:
> > The exact error msg is '  the request does not contain a certificate
> > template extension or the Certificate Template request attribute.'
> > I used make server.csr to generate CSR, and choose RAS and IAS Server
> > template which used by NPS of windows, including EKU of
> > 1.3.6.1.5.5.7.3.1.
>
> I'm not sure how else to say "you need to talk to the person who runs
> your CA". Looking at Microsoft errors isn't relevant to the FreeRADIUS
> list.
>
> > A quick question, is it possible to not use password for client cert?
>
> Yes.
>
> > So I'll use Group policy and deploy it on all domain computers.
> > All users share the same cert,  is is best practice?
>
> When one of your users does something bad, you have to reissue a new
> certificate to everyone, and you probably don't know who it was anyway?
>
> So no.
>
> --
> Matthew
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list