Stefan Puch wrote on 31.01.2008 17:05:
Hello again, ... @Reimer Karlsen-Masur
We know of problems with EE certificates in PDAs containing the "non-repudiation" flag.
If the "non-repudiation" keyUsage *is part* of your client certificates they might not work with some PDAs build-in supplicants. We found this out by try and error...
Additionally Windows build-in supplicants don't like EE certificates with the extendedKeyUsage "Microsoft Smartcard Logon" (1.3.6.1.4.1.311.20.2.2) when doing EAP-TLS.
Apparently the latter issue can also be solved by just disabling the valid certificate usage of Microsoft Smartcard Logon in the issuing CAs trusted usages properties on the system. I'm not sure if understand correctly what you want to say to me (I'm stupid :-)) First I've used TinyCA to generate my certificates, now I will try the Makefile provided in the source-code of freeradius. I think the extendedKeyUsage "Microsoft Smartcard Logon" should not be set in both variants.
If the "Microsoft Smartcard Logon" extendedKeyUsage *is part* of your client certificates they might not work with Windows build-in supplicant. If the "Microsoft Smartcard Logon" extendedKeyUsage *is not part* of your client certificates this causes less problems with Windows build-in supplicant.
Or do you mean that the extendedKeyUsage "Microsoft Smartcard Logon" must be disabled on the PDA?
If the "Microsoft Smartcard Logon" extendedKeyUsage *is part* of your client certificates you could work around this by disabling the trust setting of valid certificate usage "Microsoft Smartcard Logon" in the CAs properties in Windows build-in certificate store on the PDA. -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki 15 Jahre DFN-CERT + 15. DFN-Workshop "Sicherheit in vernetzten Systemen" am 13./14. Februar 2008 im CCH Hamburg - https://www.dfn-cert.de/ws2008/ -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 Sachsenstr. 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski