The exact error msg is ' the request does not contain a certificate template extension or the Certificate Template request attribute.' I used make server.csr to generate CSR, and choose RAS and IAS Server template which used by NPS of windows, including EKU of 1.3.6.1.5.5.7.3.1. So I guess some new attribute is added by MS server 2016 CA, which makes CSR created by `make server.csr` isn't compatible with it. Find out a way to export CA of MS CA and sign with it in http://lists.freeradius.org/pipermail/freeradius-users/2006-October/013613.h... Will try it next week. A quick question, is it possible to not use password for client cert ? So I'll use Group policy and deploy it on all domain computers. All users share the same cert, is is best practice? Thanks. On Fri, Dec 14, 2018 at 5:50 PM Matthew Newton <mcn@freeradius.org> wrote:
On Fri, 2018-12-14 at 17:33 +0800, luckydog xf wrote:
Sorry to trouble you again, I create server.csr by make server.csr, when I apply a cert by server.csr created by 'make server.csr', MS Certificiate Authority said cannot find cert template for my csr.
You need to ask whoever runs your CA what that means.
The 'Makefile' in the certs dir will use openssl to generate working certificates. It's plain text, so you can see what commands it runs.
So does anyone have expericenced this and offer me a little help?
Make sure the certificates you use have the TLS Web Server Authentication and TLS Web Client Authentication OIDs in them. What method you use to do that doesn't really matter. The CA should be able to add it.
-- Matthew
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html