XP SP3 an EAP-TLS partly solution

Alexandros Gougousoudis gougousoudis-list at servicecenter-khs.de
Mon Jan 26 11:40:18 CET 2009 

Hi Ivan,


> Try signing client certificates with the ca certificate. I have included
> modified Makefile for 2.1.3. I have added "make caclient.pem" to
> produce client certificates and "cleanca" to remove them. Try
> importing caclient.p12 created this way onto the user machine (along
> with ca.der) and see if they will work with SP3. They should work with
> SP2 as well.
>   

Thanks for your reply, but that is already what I do. I have created a 
CA in TinyCA and the server has a signed server-cert and each client has 
a signed client-cert (both with the XP specific usage attributes). The 
CA is of course imported into the trusted authorities branch. The CN ist 
the Computername (because I'am doing a machine-based auth). The certmgr 
in XP says it's a valid and trusted cert. That's how it worked in SP2.

I compared your example-cert with my cert and I can't see a significant 
difference.

Look here for my client-cert:


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 127 (0x7f)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=DE, ST=Berlin, L=Berlin, O=KHB HfM HfS, 
OU=ServiceCenter-IT, 
CN=ServiceCenter-IT_KHB_HfM_HfS/emailAddress=sc-it at kh-berlin.de
        Validity
            Not Before: Jan 16 14:24:44 2009 GMT
            Not After : Jan 15 14:24:44 2014 GMT
        Subject: C=DE, ST=Berlin, L=Berlin, O=KHB HfM HfS, 
OU=ServiceCenter-IT, CN=HFS-PA-140109-2
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (4096 bit)
                Modulus (4096 bit):
                    00:a8:74:46:34:9e:7d:1d:45:71:0d:35:d8:48:ea:
[...]
                    39:72:cf:d8:e5:c8:6c:2e:7f:95:1d:6b:cb:49:78:
                    6f:94:4b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Client, S/MIME, Object Signing
            Netscape Comment:
                TinyCA Generated Certificate
            X509v3 Subject Key Identifier:
                DA:29:47:A5:D0:34:CC:D1:94:86:98:A4:65:68:C5:1D:F7:9C:E8:D5
            X509v3 Authority Key Identifier:
                
keyid:B9:39:B6:CE:8A:52:91:2E:AE:CE:16:24:18:B1:F4:D8:30:3D:04:2E
                DirName:/C=DE/ST=Berlin/L=Berlin/O=KHB HfM 
HfS/OU=ServiceCenter-IT/CN=ServiceCenter-IT_KHB_HfM_HfS/emailAddress=sc-it at kh-berlin.de
                serial:89:0D:6F:61:AC:0C:E0:05

            X509v3 Issuer Alternative Name:
                email:sc-it at kh-berlin.de
            X509v3 Subject Alternative Name:
                DNS:HFS-PA-140109-2
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: critical
                TLS Web Client Authentication
    Signature Algorithm: sha1WithRSAEncryption
        10:c4:7c:60:3f:d2:44:de:8b:79:01:d9:ce:3d:0e:af:59:c9:
  [...]
        f7:80:cc:0f:42:db:b3:fd


Don't know what to do. Have you tried a machine-based EAP-TLS with SP3?

TIA
 Alex

More information about the Freeradius-Users mailing list