HELP! EAP-TLS: how can I install a cert on a workstation so that it works for all users

Nicolas Boullis nicolas.boullis at
Thu Jul 16 17:12:09 CEST 2009


DISCLAIMER: I'm no Windows specialist.

john wrote:
> I am having a hard time figuring out how to make this work. Where/how
> does the cert get imported. Do I need to make a registry change in
> KEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global
> to make this work? I hope this is the part someone on the list will
> have done before and be able to guide me or point me at a howto.

I had a hard time with this as well, and finally succeeded, using
Windows XP.
There are many points that matter:
 * You have to edit your registry to add a "AuthMode" dword key in
   with value 2.
 * You have to load your certificate and private key in the computer's
   personal store. I did that with mmc.exe. Note that loading the
   certificate and private key in a user's personal store and then
   moving them to the computer's store did not work for me.
 * Your certificate must have "X509v3 Extended Key Usage: TLS Web Client
   Authentication" or Windows won't use it.
 * The username Windows will use is the name in the certificate with
   "host/" prepended.

Note that things are quite different with Windows Vista.

Hope this helps,

Nicolas Boullis
Ecole Centrale Paris

More information about the Freeradius-Users mailing list