EAP-TLS Certificate problems.

Jason Wittlin-Cohen jasonwc at brandeis.edu
Mon Oct 9 06:11:52 CEST 2006


Brian vb said: "Ca is in trusted root stores under "Current User", and client is in Personal
under "Current User". One thing I see when viewing the certs is the Root has
"Locker Systems" (using a random name to keep the identity of my company out
of the certs) as the issuer and the client has SSLeay Demoserver.. looks
like OpenSSL didn't make the certs right for some odd reason.. its like it
used its own CA root or something else happened. I will recreate the certs
but I'm quite sure I entered the same data in all certs except commonname
which I made the same as the machine the cert will reside on. Root ca common
name didn't match any machine name. Where should the CA be? Machine or User?"

First, when you create the server and client certificates you need to use the Microsoft attributes for
Server and Client authentication. 

[ xpclient_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
[ xpserver_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1

I would suggest following the instructions here: http://www.linuxjournal.com/node/8095/print
The howto is for setup of Freeradius on Linux, but it should be similar on Windows because
it's the OpenSSL commands that matter when creating the certs. 

In order to find out if the certificate is correct, you can double click the certifcate in the Personal store
and go to "Certification Path". You should see the certificate common name as well as the common name of your Root CA.
If you don't something is wrong. You should also see "This certificate is OK" in the Certificate status box.
If this isn't the case, either the certificate was signed by the wrong CA, or the Root CA wasn't properly loaded into the User 
"Trusted Root Certificate Authorities" store.




More information about the Freeradius-Users mailing list