Hi Alan,
It looks like it is doing machine authentication, in which case the
Correct.
certs (both client and server) need the machine authentication OIDs,
I read that again and again, but I already have these OID in the certs. Here a dump of my server-cert: Certificate: Data: Version: 3 (0x2) Serial Number: 40 (0x28) Signature Algorithm: sha1WithRSAEncryption Issuer: C=DE, ST=Berlin, L=Berlin, O=KHB HfM HfS, OU=ServiceCenter-IT, CN=ServiceCenter-IT_KHB_HfM_HfS/emailAddress=sc-it@kh-berlin.de Validity Not Before: Aug 10 09:33:43 2006 GMT Not After : Aug 10 09:33:43 2007 GMT Subject: C=DE, ST=Berlin, L=Berlin, O=KHB HfM HfS, OU=ServiceCenter-IT, CN=radius.verwaltung.kh-berlin.de/emailAddress=sc-it@kh-berlin.de Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (4096 bit) Modulus (4096 bit): [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server Netscape Comment: TinyCA Generated Certificate X509v3 Subject Key Identifier: 42:A9:4A:9F:04:88:71:B1:78:D4:1A:5D:00:A5:66:8E:78:C0:45:FF X509v3 Authority Key Identifier: keyid:B9:39:B6:CE:8A:52:91:2E:AE:CE:16:24:18:B1:F4:D8:30:3D:04:2E DirName:/C=DE/ST=Berlin/L=Berlin/O=KHB HfM HfS/OU=ServiceCenter-IT/CN=ServiceCenter-IT_KHB_HfM_HfS/emailAddress=sc-it@kh-berlin.de serial:89:0D:6F:61:AC:0C:E0:05 X509v3 Issuer Alternative Name: email:sc-it@kh-berlin.de X509v3 Subject Alternative Name: email:sc-it@kh-berlin.de X509v3 Extended Key Usage: critical TLS Web Server Authentication !!!!!!!!!!!!!! Signature Algorithm: sha1WithRSAEncryption [...] Isn't that exactly what it should like? And here the client: Certificate: Data: Version: 3 (0x2) Serial Number: 42 (0x2a) Signature Algorithm: sha1WithRSAEncryption Issuer: C=DE, ST=Berlin, L=Berlin, O=KHB HfM HfS, OU=ServiceCenter-IT, CN=ServiceCenter-IT_KHB_HfM_HfS/emailAddress=sc-it@kh-berlin.de Validity Not Before: Sep 1 11:18:32 2006 GMT Not After : Sep 1 11:18:32 2007 GMT Subject: C=DE, ST=Berlin, L=Berlin, O=KHB HfM HfS, OU=ServiceCenter-IT, CN=vinfo-t1/emailAddress=vinfo-t1-neuer@local Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (4096 bit) Modulus (4096 bit): [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME, Object Signing Netscape Comment: TinyCA Generated Certificate X509v3 Subject Key Identifier: C0:72:0A:91:71:D9:E7:A9:73:CC:B4:B0:AD:17:B4:ED:61:AF:06:B9 X509v3 Authority Key Identifier: keyid:B9:39:B6:CE:8A:52:91:2E:AE:CE:16:24:18:B1:F4:D8:30:3D:04:2E DirName:/C=DE/ST=Berlin/L=Berlin/O=KHB HfM HfS/OU=ServiceCenter-IT/CN=ServiceCenter-IT_KHB_HfM_HfS/emailAddress=sc-it@kh-berlin.de serial:89:0D:6F:61:AC:0C:E0:05 X509v3 Issuer Alternative Name: email:sc-it@kh-berlin.de X509v3 Subject Alternative Name: email:vinfo-t1-neuer@local X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: critical TLS Web Client Authentication !!!!!!!!! Signature Algorithm: sha1WithRSAEncryption [...] What else could be a problem? How do you guys handle the "host/<netbiosname>" problem? Could that brake the cert? TIA Alex -- ServiceCenter IT - Alexandros Gougousoudis (Leiter) Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule für Musik "Hanns Eisler" und der Hochschule für Schauspielkunst "Ernst Busch". Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445