Wildcard RADIUS-server certificate and rarely used subjectRDN OIDs under 2.5.4.x arc working with Windows PEAP/EAP-TLS? (Was: Re: signed certificate)

Reimer Karlsen-Masur, DFN-CERT karlsen-masur at dfn-cert.de
Fri May 18 15:25:43 CEST 2007


Got the requested openssl output via pm.

PKIX extendedKeyUsage is set OK.
Additionally Netscape Cert Type is set accordingly to EKU.

But:

It is a wildcard certificate.

And the SubjectDN contained among commonly used RDNs (like C, ST, L, O, OU
and CN) a view RDNs that are rarely used in certificates like OIDs 2.5.4.17,
2.5.4.9 and 2.5.4.9 which are X.500 attributs
(<http://www.faqs.org/rfcs/rfc2256.html>,
<http://www.alvestrand.no/objectid/2.5.4.html>).

I have not a clue if Windows built-in EAP-TLS or PEAP supplicant has
problems with these.

Anyway, these "oddities" raised my suspicion.

Can anybody confirm that RADIUS-Server certs with these rarely used OIDs in
the sDN and/or a wildcard CN is working with Windows build-in PEAP/EAP-TLS?

Alan DeKok wrote:
> Phil Brown wrote:
>> Can any one recommend a signed certificate provider whose  certificates work with the
>> Microsoft 802.1x client. I currently have a system that works fine with a self signed certificate
>> but fails to work with a Digicert signed certificate, so we are looking to purchase a certificate
>> that will work.
> 
>   OpenSSL creates usable certificates.  I would suggest calling
> Digicert, and telling them the certificate you paid for is useless.

-- 
Beste Gruesse / Kind Regards

Reimer Karlsen-Masur

DFN-PKI FAQ: https://www.pki.dfn.de/faqpki
--
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5853 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070518/1a21e0f9/attachment.bin>


More information about the Freeradius-Users mailing list