client certs

Craig White craigwhite at azapple.com
Thu Dec 11 00:40:57 CET 2008


freeradius-2.1.1-2 (rebuild SRPM from Fedora on CentOS 5)

followed instructions in certs/README perfectly - so I believe.

server certs seem fine but generated client cert in Windows shows
"Windows does not have enough information to verify" and yes, I have
loaded the 'ca.der' file generated by the instructions on the Windows
client and that installs in 'Trusted Root Authorities'. The 'client'
cert seems to install in 'Other People', and does include the
XPextensions stuff.

So I'm trying to verify the client certificate...

# openssl verify -CAfile ca.pem spare\@myorg.com.pem
spare at myorg.com.pem: /C=US/ST=Arizona/O=MyOrg/CN=spare at myorg.com/emailAddress=spare at myorg.com
error 20 at 0 depth lookup:unable to get local issuer certificate

so I figured I would try to verify it against the server file...
# openssl verify -CAfile server.pem spare\@myorg.com.pem
spare at myorg.com.pem: /C=US/ST=Arizona/O=MyOrg/CN=Radius Server
Certificate/emailAddress=craig at myorg.com
error 2 at 1 depth lookup:unable to get issuer certificate

but indeed the server file verifies...

# openssl verify -CAfile ca.pem server.crt
server.crt: OK

# openssl verify -CAfile ca.pem server.pem
server.pem: OK

This would seem pretty simple (the directions make it seem simple)
edited client.cnf
changed input/output password values to the same, simple value
changed the e-mail address and cn to the same value as shown above

What am I doing wrong?

Craig




More information about the Freeradius-Users mailing list