On 17/04/2018 13:55, Alan DeKok wrote:
On Apr 17, 2018, at 5:24 AM, Nick Howitt <nick@howitts.co.uk> wrote:
Replying to my own post.
There was a permission problem which I've now fixed, but I still get failure: eapol_test:
(6) eap_tls: ERROR: SSL says error 26 : unsupported certificate purpose That means that the certificate hierarchy is wrong. i.e. cert A has created cert B, but cert A doesn't have OIDs which say it's allowed to create sub-certificates.
Newer versions of OpenSSL check these settings. Older versions of OpenSSL didn't do that.
How did you create the certificates? The scripts in the raddb/certs directory should work, so using those would probably help.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks for the reply. The distro, ClearOS is working in a slightly funny way. The CA is created from (adjusted expanding the variables with the config file): openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days /etc/raddb/certs/ca.cnf | sed 's/.*=//;s/^ *//'` -config /etc/raddb/certs/ca.cnf
It is a little tortuous with how it gets here, but it is using the default ca.cnf file using freeradius-3.0.13-8.el7_4.x86_64. Checking the generated CA, I see: X509v3 Basic Constraints: critical CA:TRUE Nick