For the sake of posterity (e.g future searches on this topic). The stanza that Ivan replace in the MAKEFILE used to create working client.p12 files under Windows XP SP3 are: client.csr client.key: client.cnf openssl req -new -out client.csr -keyout client.key -config ./client.cnf client.crt: client.csr ca.pem ca.key index.txt serial openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf client.p12: client.crt openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) client.pem: client.p12 openssl pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) cp client.pem $(USER_NAME).pem .PHONY: server.vrfy client.vrfy: ca.pem client.pem c_rehash . openssl verify -CApath . client.pem
The makefile you sent me allowd me to generate a correct client.p12 which cleared up the error reported by windows. Thanks very much. So it looks like windows may prefer personal certs signed by the CA rather than the server? I can sucessfully use the client cert with the "Smart Card or other Certificate" options on Windows XP/SP3 (which uses EAP-TLS I believe).