client certs

tnt at tnt at
Thu Dec 11 01:13:24 CET 2008

>freeradius-2.1.1-2 (rebuild SRPM from Fedora on CentOS 5)
>followed instructions in certs/README perfectly - so I believe.
>server certs seem fine but generated client cert in Windows shows
>"Windows does not have enough information to verify" and yes, I have
>loaded the 'ca.der' file generated by the instructions on the Windows
>client and that installs in 'Trusted Root Authorities'. The 'client'
>cert seems to install in 'Other People', and does include the
>XPextensions stuff.
>So I'm trying to verify the client certificate...
># openssl verify -CAfile ca.pem spare\
>spare at /C=US/ST=Arizona/O=MyOrg/CN=spare at at
>error 20 at 0 depth lookup:unable to get local issuer certificate
>so I figured I would try to verify it against the server file...
># openssl verify -CAfile server.pem spare\
>spare at /C=US/ST=Arizona/O=MyOrg/CN=Radius Server
>Certificate/emailAddress=craig at
>error 2 at 1 depth lookup:unable to get issuer certificate
>but indeed the server file verifies...
># openssl verify -CAfile ca.pem server.crt
>server.crt: OK
># openssl verify -CAfile ca.pem server.pem
>server.pem: OK
>This would seem pretty simple (the directions make it seem simple)
>edited client.cnf
>changed input/output password values to the same, simple value
>changed the e-mail address and cn to the same value as shown above
>What am I doing wrong?

Try attached Makefile. It has been altered so client certificates are
signed by the ca and not server certificate. I was unable to
"persuade" up-to-date Windows PCs to accept server certificate as an
Intermediate CA. Changing the issuer resolved the problem.

Ivan Kalik
Kalik Informatika ISP
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Makefile
Type: application/octet-stream
Size: 4540 bytes
Desc: not available
URL: <>

More information about the Freeradius-Users mailing list