Thanks for your response. I downloaded my cacert.pem and imported it into my xp client as a trusted root authority and that did not help. Here are the steps I took to create my certs. Remember I am trying to use "PEAP". Thanks!!!! Here's what I did to create the certs. rhel as 4.0 freeradius 1.0.4 On my freeradius server I went to: /usr/share/ssl/openssl.cnf changed "dir = ./productionCA" changed "countryName_default = US" changed "stateOrProviceName_default = Missouri" changed "localityName_default = Warrensburg" changed "0.organizationName_default = CMSU" changed "organizationalUnitName_default = Information Services" changed "commonName_default = Wireless" changed "emailAddress_default = email@email.edu" changed "challengePassword_default = password" I saved the file. Then I went into /usr/share/ssl/misc/CA and changed "CATOP=./productionCA" Then I went back into the usr/share/ssl directory and ran /usr/share/ssl/misc/CA -newca Entered my passphrase "password" Verified "password" Hit the default of "US" for Country name Hit the default of "MIssouri" for state name Hit the default of "Warrensburg" for state name Hit the default of "CMSU" for organization name Hit the defaut of "Information Services" for organizational unit name Hit the default of "WIRELESS" for the common name Hit the default of "email@email.edu" for the email address Now I have my new root certificate (cacert.pem) and private key (cakey.pem). In my /usr/share/ssl/productionCA directory I have" -rw-r--r-- 1 root root 1346 Aug 16 14:54 cacert.pem drwxr-xr-x 2 root root 4096 Aug 16 14:52 certs drwxr-xr-x 2 root root 4096 Aug 16 14:52 crl -rw-r--r-- 1 root root 0 Aug 16 14:52 index.txt drwxr-xr-x 2 root root 4096 Aug 16 14:52 newcerts drwxr-xr-x 2 root root 4096 Aug 16 14:52 private -rw-r--r-- 1 root root 3 Aug 16 14:52 serial In the "private" directory I have: -rw-r--r-- 1 root root 963 Aug 16 14:54 cakey.pem Now I create my server certificate, but first I must create the "xpextensions" file because WindowsXP expects certain attributes in server and client certificates. Contents of "xpextensions" [ xpserver_ext ] extendedKeyUsage = 1.3.6.1.5.5.7.3.1 Now I run: openssl req -new -keyout server_key.pem -out server_req.pem -days 730 -config openssl.cnf This asks for the PEM pass phrase: So I enter "password" I verify "password" Hit the default of "US" for Country name Hit the default of "MIssouri" for state name Hit the default of "Warrensburg" for state name Hit the default of "CMSU" for organization name Hit the defaut of "Information Services" for organizational unit name Enter in "server.cmsu.edu" for the common name Hit the default of "email@email.edu" for the email address It asks for a "challenge password" so I type in "password" It asks for a "optional company name" and I hit enter for nothing. This creates the files "server_req.pem" which contains the actual request-an unsigned certificate and "server_key.pem" the private key. Now I will use the ca key to sign the request. openssl ca -config openssl.cnf -policy_anything -out server_cert.pem -extensions xpserver_ext -extfile xpextensions -infiles server_req.pem This asks for the pass phrase for "/productionCA/private/cakey.pem" I type in "password" Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Aug 16 20:09:23 2005 GMT Not After : Aug 16 20:09:23 2006 GMT Subject: countryName = US stateOrProvinceName = Missouri localityName = Warrensburg organizationName = CMSU organizationalUnitName = Information Services commonName = server.cmsu.edu emailAddress = email@email.edu X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication Certificate is to be certified until Aug 16 20:09:23 2006 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated This command reads the file server_req.pem and after prompting for my CA key's passphrase, saves a signed version of it plus its corresponding private key to the file server_cert.pem. Now I opend up my signed certificate "server_cert.pem" and delete everything before the line --------BEGIN CERTIFICATE-------- Now I concatenate it and my key into a single file by typing: cat server_key.pem server_cert.pem > server_keycert.pem Next I copy the server_keycert.pem file and cacert.pem file over to my certs directory. Whie in this directory I run these two commands to create the "dh" file and "random" file. openssl dhparam -check -text -5 512 -out dh dd if=/dev/urandom of=random count=2 my eap.conf file tls { private_key_password = password private_key_file = ${raddbdir}/certs/server_keycert.pem certificate_file = ${raddbdir}/certs/server_keycert.pem # Trusted Root CA list CA_file = ${raddbdir}/certs/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random
Zoltan Ori <z.ori@morehead-st.edu> 08/16/05 1:25 PM >>> On Tuesday 16 August 2005 10:28, Jamie Crawford wrote: Everything seems to work great until the certificate negotiation, then it blows chunks.
Bad or wrong certificates. Server and supplicant need a copy of the same trusted root certificate. Zoltan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html