-----BEGIN PGP SIGNED MESSAGE----- Can any one recommend a signed certificate provider whose certificates work with the Microsoft 802.1x client. I currently have a system that works fine with a self signed certificate but fails to work with a Digicert signed certificate, so we are looking to purchase a certificate that will work. Phil Brown Lan support Room 2-04 Halpern House ISO department University of Portsmouth -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i OS/2 for non-commercial use Comment: PGP 5.0 for OS/2 Charset: cp850 wsBVAwUBRk1Lvh8HY4rdc96FAQE0Qwf+JL0Rs3oyciH7mHxrRB58l+vOIIDLihNC UmKqd7c1AsWonmwibcagSjX6cM971HF0Itc4Q0FiX/Fwwesb8xhB/RugTXAnqJ36 OPMrHXCJvMwxknUsyWRyaHpTXGJIpVf8XzZgmLK115s6M/TWbLtWv0eNGFqwL256 FfR1tbmijAsVrbAtU94u9cpsWnBtVmsRtx0wGzcn0rKtS1FXoa5sAqbflDN1B2IS vgd5Kb7sOX7A96QdYuCCP6hswBzslJIQvDYBUaGC6/fEYriHQ0YlEE19HgBVyjRM Tyil6OikurtC6Dvc213aipw91dBi3WESxbTC3ajIXCimWSHLNAyIYg== =px7Q -----END PGP SIGNATURE-----
Hi, do you mean a RADIUS *Server* certificate? Show us the openssl x509 -noout -text -in your-cert.pem output of your certificate that is currently not working and we can make a guess why it might not working.
From the vendor website I can't workout which keyusage extensions and/or Netscape certificate types are set in your certificate.
Phil Brown wrote:
Can any one recommend a signed certificate provider whose certificates work with the Microsoft 802.1x client. I currently have a system that works fine with a self signed certificate but fails to work with a Digicert signed certificate, so we are looking to purchase a certificate that will work.
-- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Phil Brown wrote:
Can any one recommend a signed certificate provider whose certificates work with the Microsoft 802.1x client. I currently have a system that works fine with a self signed certificate but fails to work with a Digicert signed certificate, so we are looking to purchase a certificate that will work.
OpenSSL creates usable certificates. I would suggest calling Digicert, and telling them the certificate you paid for is useless. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Got the requested openssl output via pm. PKIX extendedKeyUsage is set OK. Additionally Netscape Cert Type is set accordingly to EKU. But: It is a wildcard certificate. And the SubjectDN contained among commonly used RDNs (like C, ST, L, O, OU and CN) a view RDNs that are rarely used in certificates like OIDs 2.5.4.17, 2.5.4.9 and 2.5.4.9 which are X.500 attributs (<http://www.faqs.org/rfcs/rfc2256.html>, <http://www.alvestrand.no/objectid/2.5.4.html>). I have not a clue if Windows built-in EAP-TLS or PEAP supplicant has problems with these. Anyway, these "oddities" raised my suspicion. Can anybody confirm that RADIUS-Server certs with these rarely used OIDs in the sDN and/or a wildcard CN is working with Windows build-in PEAP/EAP-TLS? Alan DeKok wrote:
Phil Brown wrote:
Can any one recommend a signed certificate provider whose certificates work with the Microsoft 802.1x client. I currently have a system that works fine with a self signed certificate but fails to work with a Digicert signed certificate, so we are looking to purchase a certificate that will work.
OpenSSL creates usable certificates. I would suggest calling Digicert, and telling them the certificate you paid for is useless.
-- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
participants (3)
-
Alan DeKok -
Phil Brown -
Reimer Karlsen-Masur, DFN-CERT