Anything special to apply a server cert by CSR for eap-tls?
Hi, Sorry to trouble you again, I create server.csr by make server.csr, when I apply a cert by server.csr created by 'make server.csr', MS Certificiate Authority said cannot find cert template for my csr. So I want to use Ca from MS CA, and sign a server.crt and key for Freeradius, client would use key/cert signed by MS CA. But I searched most of posts are MS NPS(network policy service).etc. So does anyone have expericenced this and offer me a little help? Thanks,
On Fri, 2018-12-14 at 17:33 +0800, luckydog xf wrote:
Sorry to trouble you again, I create server.csr by make server.csr, when I apply a cert by server.csr created by 'make server.csr', MS Certificiate Authority said cannot find cert template for my csr.
You need to ask whoever runs your CA what that means. The 'Makefile' in the certs dir will use openssl to generate working certificates. It's plain text, so you can see what commands it runs.
So does anyone have expericenced this and offer me a little help?
Make sure the certificates you use have the TLS Web Server Authentication and TLS Web Client Authentication OIDs in them. What method you use to do that doesn't really matter. The CA should be able to add it. -- Matthew
The exact error msg is ' the request does not contain a certificate template extension or the Certificate Template request attribute.' I used make server.csr to generate CSR, and choose RAS and IAS Server template which used by NPS of windows, including EKU of 1.3.6.1.5.5.7.3.1. So I guess some new attribute is added by MS server 2016 CA, which makes CSR created by `make server.csr` isn't compatible with it. Find out a way to export CA of MS CA and sign with it in http://lists.freeradius.org/pipermail/freeradius-users/2006-October/013613.h... Will try it next week. A quick question, is it possible to not use password for client cert ? So I'll use Group policy and deploy it on all domain computers. All users share the same cert, is is best practice? Thanks. On Fri, Dec 14, 2018 at 5:50 PM Matthew Newton <mcn@freeradius.org> wrote:
On Fri, 2018-12-14 at 17:33 +0800, luckydog xf wrote:
Sorry to trouble you again, I create server.csr by make server.csr, when I apply a cert by server.csr created by 'make server.csr', MS Certificiate Authority said cannot find cert template for my csr.
You need to ask whoever runs your CA what that means.
The 'Makefile' in the certs dir will use openssl to generate working certificates. It's plain text, so you can see what commands it runs.
So does anyone have expericenced this and offer me a little help?
Make sure the certificates you use have the TLS Web Server Authentication and TLS Web Client Authentication OIDs in them. What method you use to do that doesn't really matter. The CA should be able to add it.
-- Matthew
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
1. maybe I didn't choose the right cert template, 'RAS and IAS server template' is used for windows NPS. Hard to say. 2. I'll try to use 'RAS and IAS server temp' and create a cert and export it, then check what does it require by view it on windows, or openssl x509 on Linux. On Fri, Dec 14, 2018 at 6:34 PM luckydog xf <luckydogxf@gmail.com> wrote:
The exact error msg is ' the request does not contain a certificate template extension or the Certificate Template request attribute.' I used make server.csr to generate CSR, and choose RAS and IAS Server template which used by NPS of windows, including EKU of 1.3.6.1.5.5.7.3.1.
So I guess some new attribute is added by MS server 2016 CA, which makes CSR created by `make server.csr` isn't compatible with it.
Find out a way to export CA of MS CA and sign with it in http://lists.freeradius.org/pipermail/freeradius-users/2006-October/013613.h... Will try it next week.
A quick question, is it possible to not use password for client cert ? So I'll use Group policy and deploy it on all domain computers. All users share the same cert, is is best practice?
Thanks.
On Fri, Dec 14, 2018 at 5:50 PM Matthew Newton <mcn@freeradius.org> wrote:
On Fri, 2018-12-14 at 17:33 +0800, luckydog xf wrote:
Sorry to trouble you again, I create server.csr by make server.csr, when I apply a cert by server.csr created by 'make server.csr', MS Certificiate Authority said cannot find cert template for my csr.
You need to ask whoever runs your CA what that means.
The 'Makefile' in the certs dir will use openssl to generate working certificates. It's plain text, so you can see what commands it runs.
So does anyone have expericenced this and offer me a little help?
Make sure the certificates you use have the TLS Web Server Authentication and TLS Web Client Authentication OIDs in them. What method you use to do that doesn't really matter. The CA should be able to add it.
-- Matthew
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Fri, 2018-12-14 at 18:34 +0800, luckydog xf wrote:
The exact error msg is ' the request does not contain a certificate template extension or the Certificate Template request attribute.' I used make server.csr to generate CSR, and choose RAS and IAS Server template which used by NPS of windows, including EKU of 1.3.6.1.5.5.7.3.1.
I'm not sure how else to say "you need to talk to the person who runs your CA". Looking at Microsoft errors isn't relevant to the FreeRADIUS list.
A quick question, is it possible to not use password for client cert?
Yes.
So I'll use Group policy and deploy it on all domain computers. All users share the same cert, is is best practice?
When one of your users does something bad, you have to reissue a new certificate to everyone, and you probably don't know who it was anyway? So no. -- Matthew
Yes, shared cert isn't a good idea, enterprise CA is needed. Thanks. On Fri, Dec 14, 2018 at 6:58 PM Matthew Newton <mcn@freeradius.org> wrote:
On Fri, 2018-12-14 at 18:34 +0800, luckydog xf wrote:
The exact error msg is ' the request does not contain a certificate template extension or the Certificate Template request attribute.' I used make server.csr to generate CSR, and choose RAS and IAS Server template which used by NPS of windows, including EKU of 1.3.6.1.5.5.7.3.1.
I'm not sure how else to say "you need to talk to the person who runs your CA". Looking at Microsoft errors isn't relevant to the FreeRADIUS list.
A quick question, is it possible to not use password for client cert?
Yes.
So I'll use Group policy and deploy it on all domain computers. All users share the same cert, is is best practice?
When one of your users does something bad, you have to reissue a new certificate to everyone, and you probably don't know who it was anyway?
So no.
-- Matthew
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
luckydog xf -
Matthew Newton