certificates in FR 2.0.1 on windows doesnt works
hi to all. created the certificates with the default config files in FR 2.0.1 with ./bootstrap created the client certificate with make client the import of the ca.pem and server.crt in winxp is OK. they link with each-other ok ( ca->server ) the import of client.p12 is ok but it doesnt have a valid link it is ca->server->client and the details of the server certificate tells that "is not authorized to issue certificates" . the client certificates tells that is issued by the server not by the ca. the question is : the client certificate should be issued by the server or by the ca? if its to be issued by the ca then the Makefile in cert dirs have to be modified. in fact after modified the Makefile and client.cnf and re-importing them in xp then the linkage is ok. ( ca->client ) is this a prob ? or what ?
orion wrote:
the import of client.p12 is ok but it doesnt have a valid link it is ca->server->client
What does that mean?
and the details of the server certificate tells that "is not authorized to issue certificates" .
Where does it say that? Which certificate tool are you using to look at the certificates?
the client certificates tells that is issued by the server not by the ca.
Yes, that is supposed to happen.
the question is : the client certificate should be issued by the server or by the ca?
Server.
in fact after modified the Makefile and client.cnf and re-importing them in xp then the linkage is ok. ( ca->client )
That's not how it's supposed to work. Alan DeKok.
im using standart windows mmc. after import of the CA and Server certificates the server certificate links to the ca certificate ok CA certificate |- server certificate but when i import the client.p12 certificate the linkage is CA certificate |- server certificate |- client certificate in that moment the server part tells ( it not allow to issue certificate for others). So the server certifiace is not allowed to issue certificate ( in this case to issue the certificate for the server. ). 1)Its necessary to import the server certificate + ca certificate + client certificate ? 2)or only ca certificate + client certificate ? the second case the linkage between the ca and client doesnt exist ( as you said "is the server the issuer of the client`s certificate" ). On 25/01/2008, Alan DeKok <aland@deployingradius.com> wrote:
orion wrote:
the import of client.p12 is ok but it doesnt have a valid link it is ca->server->client
What does that mean?
and the details of the server certificate tells that "is not authorized to issue certificates" .
Where does it say that? Which certificate tool are you using to look at the certificates?
the client certificates tells that is issued by the server not by the ca.
Yes, that is supposed to happen.
the question is : the client certificate should be issued by the server or by the ca?
Server.
in fact after modified the Makefile and client.cnf and re-importing them in xp then the linkage is ok. ( ca->client )
That's not how it's supposed to work.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2)or only ca certificate + client certificate ?
the second case the linkage between the ca and client doesnt exist ( as you said "is the server the issuer of the client`s certificate" ).
Link is not needed. Server checks the client certificate to see if it's issued by the server (certificate). Client checks server certificate to see if it's issued by a *known and trusted" CA. Nothing checks client certificate against the CA. Ivan Kalik Kalik Informatika ISP
its not a problem that windows says about the client certificate : "the issuer of this certificate cannot be found " ? can the certificate be used in this case ? On 25/01/2008, tnt@kalik.co.yu <tnt@kalik.co.yu> wrote:
2)or only ca certificate + client certificate ?
the second case the linkage between the ca and client doesnt exist ( as you said "is the server the issuer of the client`s certificate" ).
Link is not needed. Server checks the client certificate to see if it's issued by the server (certificate). Client checks server certificate to see if it's issued by a *known and trusted" CA. Nothing checks client certificate against the CA.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
And that is good. Windows doesn't need to know who issued that certificate, only radius server does. Ivan Kalik Kalik Informatika ISP Dana 25/1/2008, "orion" <meshkruaj@gmail.com> piše:
its not a problem that windows says about the client certificate : "the issuer of this certificate cannot be found " ?
can the certificate be used in this case ?
On 25/01/2008, tnt@kalik.co.yu <tnt@kalik.co.yu> wrote:
2)or only ca certificate + client certificate ?
the second case the linkage between the ca and client doesnt exist ( as you said "is the server the issuer of the client`s certificate" ).
Link is not needed. Server checks the client certificate to see if it's issued by the server (certificate). Client checks server certificate to see if it's issued by a *known and trusted" CA. Nothing checks client certificate against the CA.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
orion wrote:
its not a problem that windows says about the client certificate : "the issuer of this certificate cannot be found " ?
Thank you for FINALLY posting the REAL error message. It helps to post the REAL error message, because you can then get a REAL solution. In this case, you didn't add the server certificate (or the CA certificate) into the root CA store. All of the documentation and howto's say you need to do this, so.... Alan DeKok.
On 25/01/2008, Alan DeKok <aland@deployingradius.com> wrote:
In this case, you didn't add the server certificate (or the CA certificate) into the root CA store. All of the documentation and howto's say you need to do this, so....
Alan DeKok.
the ca certificate is the first i import in root CA store. i get the error "the issuer of this certificate cannot be found" after importing the client certificate(in personal certificates ) on the "general" tab it says about the client certificate : Windows does not have enough information to verify this certificate on the "certification path" tab it says "the issuer of the certificate could not be found" now, do i have to import the CA and client certificate ( ca.pem and client.p12 ) or the CA + Server + Client certificate ( if so , which of the server.* certificates )
Does anybody know about iCHAP? Kevin, --------------------------------- Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.
orion wrote:
but when i import the client.p12 certificate the linkage is
CA certificate |- server certificate |- client certificate
in that moment the server part tells ( it not allow to issue certificate for others).
There's no reason why the intermediate certificate can't issue a client certificate. And yes, you already said it complained about that. There's no reason to re-post a summary of that message. You were asked to post *specific* information.
So the server certifiace is not allowed to issue certificate ( in this case to issue the certificate for the server. ).
Nonsense.
1)Its necessary to import the server certificate + ca certificate + client certificate ? 2)or only ca certificate + client certificate ?
the second case the linkage between the ca and client doesnt exist ( as you said "is the server the issuer of the client`s certificate" ).
A direct linkage doesn't exist, and doesn't need to exist. Windows has *zero* problems using such a client certificate for EAP-TLS. If you see an error message, then either the software you're using is broken, or you didn't understand the message it's producing. Alan DeKok.
participants (4)
-
Alan DeKok -
Kevin J -
orion -
tnt@kalik.co.yu