XP SP3 an EAP-TLS partly solution
Thibault Le Meur
Thibault.LeMeur at supelec.fr
Mon Jan 26 11:51:26 CET 2009
Alexandros Gougousoudis a écrit :
> Hi Ivan,
>
>
>> Try signing client certificates with the ca certificate. I have included
>> modified Makefile for 2.1.3. I have added "make caclient.pem" to
>> produce client certificates and "cleanca" to remove them. Try
>> importing caclient.p12 created this way onto the user machine (along
>> with ca.der) and see if they will work with SP3. They should work with
>> SP2 as well.
>>
>
> Thanks for your reply, but that is already what I do. I have created a
> CA in TinyCA and the server has a signed server-cert and each client
> has a signed client-cert (both with the XP specific usage attributes).
I had an issue once when using client certs generated with TinyCA, this
was due to the fact that, by default, TinyCA includes the emailAddress
in the DN subject.
> Issuer: C=DE, ST=Berlin, L=Berlin, O=KHB HfM HfS,
> OU=ServiceCenter-IT,
> CN=ServiceCenter-IT_KHB_HfM_HfS/emailAddress=sc-it at kh-berlin.de
Your CA cert's DN includes the emailAddress, though this was not exactly
the issue I had (mine was related to the client certs), I would
recommend not adding this emailAddress to the DN and test again.
HTH,
Thibault
More information about the Freeradius-Users
mailing list