Thanks for your reply, but that is already what I do. I have created a CA in TinyCA and the server has a signed server-cert and each client has a signed client-cert (both with the XP specific usage attributes). The CA is of course imported into the trusted authorities branch. The CN ist the Computername (because I'am doing a machine-based auth). The certmgr in XP says it's a valid and trusted cert. That's how it worked in SP2.
I compared your example-cert with my cert and I can't see a significant difference.
You have to take it up with TinyCA people: "Development State: The current state is beta. So use at your own risk and please don't hesitate to report bugs... sm@sm-zone.net " We can help you with certificates generated by freeradius routines. Ivan Kalik Kalik Informatika ISP