Hi Ivan,
Try signing client certificates with the ca certificate. I have included modified Makefile for 2.1.3. I have added "make caclient.pem" to produce client certificates and "cleanca" to remove them. Try importing caclient.p12 created this way onto the user machine (along with ca.der) and see if they will work with SP3. They should work with SP2 as well.
Thanks for your reply, but that is already what I do. I have created a CA in TinyCA and the server has a signed server-cert and each client has a signed client-cert (both with the XP specific usage attributes). The CA is of course imported into the trusted authorities branch. The CN ist the Computername (because I'am doing a machine-based auth). The certmgr in XP says it's a valid and trusted cert. That's how it worked in SP2. I compared your example-cert with my cert and I can't see a significant difference. Look here for my client-cert: Certificate: Data: Version: 3 (0x2) Serial Number: 127 (0x7f) Signature Algorithm: sha1WithRSAEncryption Issuer: C=DE, ST=Berlin, L=Berlin, O=KHB HfM HfS, OU=ServiceCenter-IT, CN=ServiceCenter-IT_KHB_HfM_HfS/emailAddress=sc-it@kh-berlin.de Validity Not Before: Jan 16 14:24:44 2009 GMT Not After : Jan 15 14:24:44 2014 GMT Subject: C=DE, ST=Berlin, L=Berlin, O=KHB HfM HfS, OU=ServiceCenter-IT, CN=HFS-PA-140109-2 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (4096 bit) Modulus (4096 bit): 00:a8:74:46:34:9e:7d:1d:45:71:0d:35:d8:48:ea: [...] 39:72:cf:d8:e5:c8:6c:2e:7f:95:1d:6b:cb:49:78: 6f:94:4b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME, Object Signing Netscape Comment: TinyCA Generated Certificate X509v3 Subject Key Identifier: DA:29:47:A5:D0:34:CC:D1:94:86:98:A4:65:68:C5:1D:F7:9C:E8:D5 X509v3 Authority Key Identifier: keyid:B9:39:B6:CE:8A:52:91:2E:AE:CE:16:24:18:B1:F4:D8:30:3D:04:2E DirName:/C=DE/ST=Berlin/L=Berlin/O=KHB HfM HfS/OU=ServiceCenter-IT/CN=ServiceCenter-IT_KHB_HfM_HfS/emailAddress=sc-it@kh-berlin.de serial:89:0D:6F:61:AC:0C:E0:05 X509v3 Issuer Alternative Name: email:sc-it@kh-berlin.de X509v3 Subject Alternative Name: DNS:HFS-PA-140109-2 X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: critical TLS Web Client Authentication Signature Algorithm: sha1WithRSAEncryption 10:c4:7c:60:3f:d2:44:de:8b:79:01:d9:ce:3d:0e:af:59:c9: [...] f7:80:cc:0f:42:db:b3:fd Don't know what to do. Have you tried a machine-based EAP-TLS with SP3? TIA Alex