<div dir="ltr">Hi,<div><br><div class="gmail_extra"><div class="gmail_quote">2013/9/16  <span dir="ltr"><<a href="mailto:A.L.M.Buxey@lboro.ac.uk" target="_blank">A.L.M.Buxey@lboro.ac.uk</a>></span><br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>we've had no problems with self-signed CA or with 3rd party CA and standard<br>
RADIUS certificate BUT the certificate must have CRLDP (CRL distribution point)<br>
URL defined. that can either be at CA level or RADIUS level - or both.<br>
<br>
eg<br>
<br>
crlDistributionPoints = URI:<a href="http://yoururl.here/ca.crl" target="_blank">http://yoururl.here/ca.crl</a><br>
<br>
in the server extensions.</blockquote><div>Thank you Alan, at least good to hear someone is out there who got it working.</div><div><br></div><div>Hmm the server certificate though seems  to contain a CRLDP. I'v tried removing personal </div>
<div>and attach the openssl output at the end, maybe someone spots a problem...</div><div><br></div><div>Do you happen to have Subject Alternate Names or would you avoid it with RADIUS?</div><div>(That certificate does have them) I know for example that some exotic or (very old) </div>
<div>browsers for example can have problems with SAN, but yet didn't encounter any with PEAP this far.</div><div><br></div><div>The file also contains (in order of appearance): Root CA cert, 1 intermediate CA, then the server cert if</div>
<div>that's of importance.</div><div><br></div><div>-- Mathieu<br></div><div><br></div><div># openssl x509 -text -in /etc/freeradius/certs/myserver.pem<br></div><div><div>Certificate:</div><div>    Data:</div><div>        Version: 3 (0x2)</div>
<div>        Serial Number: <snip!></div><div>    Signature Algorithm: sha1WithRSAEncryption</div><div>        Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 2 Primary Intermediate Server CA</div>
<div>        Validity</div><div>            Not Before: <snip></div><div>            Not After : <snip></div><div>        Subject: ..., C= ... <snip></div><div>        Subject Public Key Info:</div><div>
            Public Key Algorithm: rsaEncryption</div><div>                Public-Key: snip! (yes it's larger than 1024 bit) ;-)</div><div>                Modulus:</div><div>                <snip></div><div>                </div>
<div>        X509v3 extensions:</div><div>            X509v3 Basic Constraints:</div><div>                CA:FALSE</div><div>            X509v3 Key Usage:</div><div>                Digital Signature, Key Encipherment, Key Agreement</div>
<div>            X509v3 Extended Key Usage:</div><div>                TLS Web Client Authentication, TLS Web Server Authentication</div><div>            X509v3 Subject Key Identifier:</div><div>                C7:A3:52:3B:4A:15:BD:0E:40:B9:71:95:1B:71:27:57:4E:3D:13:73</div>
<div>            X509v3 Authority Key Identifier:</div><div>                keyid:11:DB:23:45:FD:54:CC:6A:71:6F:84:8A:03:D7:BE:F7:01:2F:26:86</div><div><br></div><div>            X509v3 Subject Alternative Name:</div><div>
                DNS: <snip!></div><div>            X509v3 Certificate Policies:</div><div>                Policy: 2.23.140.1.2.2</div><div>                Policy: 1.3.6.1.4.1.23223.1.2.3</div><div>                  CPS: <a href="http://www.startssl.com/policy.pdf">http://www.startssl.com/policy.pdf</a></div>
<div>                  User Notice:</div><div>                    Organization: StartCom Certification Authority</div><div>                    Number: 1</div><div>                    Explicit Text: This certificate was issued according to the Class 2 Validation requirements of the StartCom CA policy, reliance only for the intended purpose in compliance of the relying party obligations.</div>
<div><br></div><div>            X509v3 CRL Distribution Points:</div><div><br></div><div>                Full Name:</div><div>                  URI:<a href="http://crl.startssl.com/crt2-crl.crl">http://crl.startssl.com/crt2-crl.crl</a></div>
<div><br></div><div>            Authority Information Access:</div><div>                OCSP - URI:<a href="http://ocsp.startssl.com/sub/class2/server/ca">http://ocsp.startssl.com/sub/class2/server/ca</a></div><div>                CA Issuers - URI:<a href="http://aia.startssl.com/certs/sub.class2.server.ca.crt">http://aia.startssl.com/certs/sub.class2.server.ca.crt</a></div>
<div><br></div><div>            X509v3 Issuer Alternative Name:</div><div>                URI:<a href="http://www.startssl.com/">http://www.startssl.com/</a></div><div>    Signature Algorithm: sha1WithRSAEncryption</div><div>
    <snip></div><div>-----BEGIN CERTIFICATE-----</div><div><snip></div><div>-----END CERTIFICATE-----</div></div></div></div></div></div>