Thanks for looking at this, Michael. I decided to restart the certificate generation process and did it again from scratch following the article. Same results. I did it a 3rd time and but this time copied the certs to /etc/ssl/ certs and insured all CNs were unique (not being completely up on what is right or wrong w/r to input values for the cert process or what directories the new certs needed to live in, I wanted to make sure that wasn't an issue.) So, one of those actions did the trick and I haven't gone back to isolate which one. After that I was able to login - authenticated in both directions, too. I did go ahead and do the pkcs export password and that worked fine. I'm not sure what Bauer's comment was referring to in the article about XP supplicants only working with non-pw protected certs in the store. Oh well, it's up and working and I'm grateful. Thank you, Landon On Aug 5, 2005, at 4:30 PM, Michael Wang wrote:
Hi Landon,
I think this piece from the log is suspicious:
rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 02ab], Certificate --> verify error:num=18:self signed certificate chain-depth=0, error=18 --> User-Name = 360VL --> BUF-Name = 360VL --> subject = /C=US/ST=Colorado/L=Colorado Springs/O=360VL Incorporated/CN=360VL/emailAddress=emailwithheld --> issuer = /C=US/ST=Colorado/L=Colorado Springs/O=360VL Incorporated/CN=360VL/emailAddress=emailwithheld --> verify return:0 rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
I think the problem is the user certificate that you imported into XP is "self-signed". What you need to do is use openssl to create a certificate request (using openssl req ...) and then sign that request using the CA (using openssl ca). Then package up the user key and signed user cert into the pkcs#12 envelope (using openssl pkcs12). Finally import into XP. I looked at the instructions for certificate generation in the linux format article and they look OK. Make sure you did not miss a step or use the wrong command somewhere.
As to using a password for the pkcs#12 envelope, go ahead and use it. When you import the pkcs#12 file into XP, it will just ask for it, and you enter it, and that should be it.
Hope that helps.
Michael