default certificates: add a useless CRL distribution point?

Stefan Winter stefan.winter at
Sat May 25 21:56:47 CEST 2013


the bootstrap script adds EKU "TLS Web Server" because that makes most
of the Windows editions happy.

Folks in eduroam have now discovered something ... odd ... with Windows
Phone 8.

It requires that the *server* certificate that comes in during EAP
contains the "CRL Distribution Point" extension.

This is rather useless of course, because the client can't actually
consult the CRL because he has no network while he's trying to
authenticate. As an effect of that, it does not matter at all whether
the URL in the CDP extension actually serves a CRL. It's just an extra
annoyance to be aware of.

I'm wondering: should the bootstrap scripts add a CDP pointing to a
non-existing URL? It would improve the compatibility with these devices.
It would make the certs look stranger though, as that is just added
junk. Maybe a URL like ""
would make that clear for anyone who cares to take a look at the
generated certs.

Note that I don't know if the CA and/or intermediates also need that
extension present. I can find out if need be (and I'm sure Tomasz and
Maja are reading this list themselves anyway :-) ).


Stefan Winter

More information about the Freeradius-Devel mailing list