On Thu, 2008-12-11 at 01:13 +0100, tnt@kalik.net wrote:
freeradius-2.1.1-2 (rebuild SRPM from Fedora on CentOS 5)
followed instructions in certs/README perfectly - so I believe.
server certs seem fine but generated client cert in Windows shows "Windows does not have enough information to verify" and yes, I have loaded the 'ca.der' file generated by the instructions on the Windows client and that installs in 'Trusted Root Authorities'. The 'client' cert seems to install in 'Other People', and does include the XPextensions stuff.
So I'm trying to verify the client certificate...
# openssl verify -CAfile ca.pem spare\@myorg.com.pem spare@myorg.com.pem: /C=US/ST=Arizona/O=MyOrg/CN=spare@myorg.com/emailAddress=spare@myorg.com error 20 at 0 depth lookup:unable to get local issuer certificate
so I figured I would try to verify it against the server file... # openssl verify -CAfile server.pem spare\@myorg.com.pem spare@myorg.com.pem: /C=US/ST=Arizona/O=MyOrg/CN=Radius Server Certificate/emailAddress=craig@myorg.com error 2 at 1 depth lookup:unable to get issuer certificate
but indeed the server file verifies...
# openssl verify -CAfile ca.pem server.crt server.crt: OK
# openssl verify -CAfile ca.pem server.pem server.pem: OK
This would seem pretty simple (the directions make it seem simple) edited client.cnf changed input/output password values to the same, simple value changed the e-mail address and cn to the same value as shown above
What am I doing wrong?
Try attached Makefile. It has been altered so client certificates are signed by the ca and not server certificate. I was unable to "persuade" up-to-date Windows PCs to accept server certificate as an Intermediate CA. Changing the issuer resolved the problem.
OK - question... I only re-generated the 'client' certificate but in doing a diff, it appears that every level of cert generation has changed...do I have to start over? Windows is still complaining with new client certificate and yes, system is XP Service Pack 3 so it's pretty much up-to-date Craig