Hi, the bootstrap script adds EKU "TLS Web Server" because that makes most of the Windows editions happy. Folks in eduroam have now discovered something ... odd ... with Windows Phone 8. It requires that the *server* certificate that comes in during EAP contains the "CRL Distribution Point" extension. This is rather useless of course, because the client can't actually consult the CRL because he has no network while he's trying to authenticate. As an effect of that, it does not matter at all whether the URL in the CDP extension actually serves a CRL. It's just an extra annoyance to be aware of. I'm wondering: should the bootstrap scripts add a CDP pointing to a non-existing URL? It would improve the compatibility with these devices. It would make the certs look stranger though, as that is just added junk. Maybe a URL like "http://www.freeradius.org/silly/cert/extension/" would make that clear for anyone who cares to take a look at the generated certs. Note that I don't know if the CA and/or intermediates also need that extension present. I can find out if need be (and I'm sure Tomasz and Maja are reading this list themselves anyway :-) ). Greetings, Stefan Winter