client certs

Craig White craigwhite at azapple.com
Thu Dec 11 01:30:52 CET 2008


On Thu, 2008-12-11 at 01:13 +0100, tnt at kalik.net wrote:
> >freeradius-2.1.1-2 (rebuild SRPM from Fedora on CentOS 5)
> >
> >followed instructions in certs/README perfectly - so I believe.
> >
> >server certs seem fine but generated client cert in Windows shows
> >"Windows does not have enough information to verify" and yes, I have
> >loaded the 'ca.der' file generated by the instructions on the Windows
> >client and that installs in 'Trusted Root Authorities'. The 'client'
> >cert seems to install in 'Other People', and does include the
> >XPextensions stuff.
> >
> >So I'm trying to verify the client certificate...
> >
> ># openssl verify -CAfile ca.pem spare\@myorg.com.pem
> >spare at myorg.com.pem: /C=US/ST=Arizona/O=MyOrg/CN=spare at myorg.com/emailAddress=spare at myorg.com
> >error 20 at 0 depth lookup:unable to get local issuer certificate
> >
> >so I figured I would try to verify it against the server file...
> ># openssl verify -CAfile server.pem spare\@myorg.com.pem
> >spare at myorg.com.pem: /C=US/ST=Arizona/O=MyOrg/CN=Radius Server
> >Certificate/emailAddress=craig at myorg.com
> >error 2 at 1 depth lookup:unable to get issuer certificate
> >
> >but indeed the server file verifies...
> >
> ># openssl verify -CAfile ca.pem server.crt
> >server.crt: OK
> >
> ># openssl verify -CAfile ca.pem server.pem
> >server.pem: OK
> >
> >This would seem pretty simple (the directions make it seem simple)
> >edited client.cnf
> >changed input/output password values to the same, simple value
> >changed the e-mail address and cn to the same value as shown above
> >
> >What am I doing wrong?
> >
> 
> Try attached Makefile. It has been altered so client certificates are
> signed by the ca and not server certificate. I was unable to
> "persuade" up-to-date Windows PCs to accept server certificate as an
> Intermediate CA. Changing the issuer resolved the problem.
----
OK - question...

I only re-generated the 'client' certificate but in doing a diff, it
appears that every level of cert generation has changed...do I have to
start over?

Windows is still complaining with new client certificate and yes, system
is XP Service Pack 3 so it's pretty much up-to-date

Craig




More information about the Freeradius-Users mailing list