tnt at kalik.net
tnt at kalik.net
Thu Dec 11 01:13:24 CET 2008
>freeradius-2.1.1-2 (rebuild SRPM from Fedora on CentOS 5)
>followed instructions in certs/README perfectly - so I believe.
>server certs seem fine but generated client cert in Windows shows
>"Windows does not have enough information to verify" and yes, I have
>loaded the 'ca.der' file generated by the instructions on the Windows
>client and that installs in 'Trusted Root Authorities'. The 'client'
>cert seems to install in 'Other People', and does include the
>So I'm trying to verify the client certificate...
># openssl verify -CAfile ca.pem spare\@myorg.com.pem
>spare at myorg.com.pem: /C=US/ST=Arizona/O=MyOrg/CN=spare at myorg.com/emailAddress=spare at myorg.com
>error 20 at 0 depth lookup:unable to get local issuer certificate
>so I figured I would try to verify it against the server file...
># openssl verify -CAfile server.pem spare\@myorg.com.pem
>spare at myorg.com.pem: /C=US/ST=Arizona/O=MyOrg/CN=Radius Server
>Certificate/emailAddress=craig at myorg.com
>error 2 at 1 depth lookup:unable to get issuer certificate
>but indeed the server file verifies...
># openssl verify -CAfile ca.pem server.crt
># openssl verify -CAfile ca.pem server.pem
>This would seem pretty simple (the directions make it seem simple)
>changed input/output password values to the same, simple value
>changed the e-mail address and cn to the same value as shown above
>What am I doing wrong?
Try attached Makefile. It has been altered so client certificates are
signed by the ca and not server certificate. I was unable to
"persuade" up-to-date Windows PCs to accept server certificate as an
Intermediate CA. Changing the issuer resolved the problem.
Kalik Informatika ISP
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4540 bytes
Desc: not available
More information about the Freeradius-Users