OpenCA Certificates Problem with EAP_TLS

Pablo Navas pablo at
Wed Jul 13 12:32:29 CEST 2005

Hello list,
I’m sending this e-mail to ask about a problem with certificates 
generated by OpenCA and used with FreeRadius. My problem is similar to 
the one that Tom Tim had using EAP_TLS and the same type of CA. From 
what I’ve read, the solution was to export the certificates as pcks12 
and then convert them to pem with openssl. At first, I made the EAP_TLS 
work using the test certificates. I had no problem doing this. However, 
when I used mine, things did not go so well ?.

I have tried using the Radius Server Certificate, using two different 
types: TLS WEB SERVER and VPN SERVER. Also, I have tried using that of 
the client, such as TLS WEB CLIENT.

I have converted them using 2 different methods:

1. openssl pkcs12 -in cert.p12 -out cert.pem (This seems to be similar 
to cert-srv.pem)

2. openssl pkcs12 -clcerts -nokeys -in cert.p12 -out usercert.pem
openssl pkcs12 -nocerts -in cert.p12 -out userkey.pem (These are similar 
to the one above, except that they are separated.)

To confirm this, I looked at the certificates with openssl x509 -in 
cert.pem –text, and it appears that everything is correct.

I have attached the log given by the FreeRadius. The server never sends 
the Accept-Access, but it doesn’t give many clues as to what is 
happening either, except: TLS_accept:error in SSLv3 read client 
certificate A.

I hope that someone is able to help me out with this, I am a bit 
frustrated with it and I need to get it up and running.

Best regards.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: debug_freeradius_tls.txt
URL: <>

More information about the Freeradius-Users mailing list