Re: SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
On Sat, Jun 13, 2009 at 7:08 AM, Ivan Kalik<tnt@kalik.net> wrote:
I used the Makefile to generate the certs. I then exported ca.der and client.p12 and installed them on the XP box. Did I get the wrong files?
No, those are correct files. Is ca OK but you get errors for client certificate? Try using included Makefile (rename old Makefile to Makefile.old and this one to Makefile). It will create client certificates signed by the ca certificate.
Ivan Kalik Kalik Informatika ISP
Hi Ivan, The makefile you sent me allowd me to generate a correct client.p12 which cleared up the error reported by windows. Thanks very much. So it looks like windows may prefer personal certs signed by the CA rather than the server? I can sucessfully use the client cert with the "Smart Card or other Certificate" options on Windows XP/SP3 (which uses EAP-TLS I believe). However it didn't fix my issue with trying to use a cert and PEAP or TTLS. So I am stumped still on that one. Any other ideas? Thanks for your help! John
However it didn't fix my issue with trying to use a cert and PEAP or TTLS. So I am stumped still on that one.
You need a supplicant that supports it. SecureW2 probably doesn't. Try wpa_supplicant. Ivan Kalik Kalik Informatika ISP
On Mon, Jun 15, 2009 at 3:46 PM, Ivan Kalik<tnt@kalik.net> wrote:
However it didn't fix my issue with trying to use a cert and PEAP or TTLS. So I am stumped still on that one.
You need a supplicant that supports it. SecureW2 probably doesn't. Try wpa_supplicant.
Thanks Ivan. Do you know if the windows wired PEAP supplicant supports sending a client cert back to the server? I'll look at wpa_supplicant as well. Also, thanks again for that amended MAKEFILE. Perhaps an extra stanza should be included in the MAKEFILE in a future freeradius version that directs someone to try that approach if windows rejects client.p12 files signed by the server? I think it might be a real help to others. Cheers! John
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
For the sake of posterity (e.g future searches on this topic). The stanza that Ivan replace in the MAKEFILE used to create working client.p12 files under Windows XP SP3 are: client.csr client.key: client.cnf openssl req -new -out client.csr -keyout client.key -config ./client.cnf client.crt: client.csr ca.pem ca.key index.txt serial openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf client.p12: client.crt openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) client.pem: client.p12 openssl pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) cp client.pem $(USER_NAME).pem .PHONY: server.vrfy client.vrfy: ca.pem client.pem c_rehash . openssl verify -CApath . client.pem
The makefile you sent me allowd me to generate a correct client.p12 which cleared up the error reported by windows. Thanks very much. So it looks like windows may prefer personal certs signed by the CA rather than the server? I can sucessfully use the client cert with the "Smart Card or other Certificate" options on Windows XP/SP3 (which uses EAP-TLS I believe).
participants (2)
-
Ivan Kalik -
john