HELP! EAP-TLS: how can I install a cert on a workstation so that it works for all users

Nik Alleyne nalleyne at
Thu Jul 16 18:59:30 CEST 2009

Hi Guys,
I think this is an excellent tutorial for what he is trying to achieve.
I've used this along with assistance from Ivan and have gotten everything I
wanted to work successfully.

Quoting Nicolas Boullis <nicolas.boullis at>:

> Hi,
> DISCLAIMER: I'm no Windows specialist.
> john wrote:
>> I am having a hard time figuring out how to make this work. Where/how
>> does the cert get imported. Do I need to make a registry change in
>> KEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global
>> to make this work? I hope this is the part someone on the list will
>> have done before and be able to guide me or point me at a howto.
> I had a hard time with this as well, and finally succeeded, using
> Windows XP.
> There are many points that matter:
> * You have to edit your registry to add a "AuthMode" dword key in
>   KEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global
>   with value 2.
> * You have to load your certificate and private key in the computer's
>   personal store. I did that with mmc.exe. Note that loading the
>   certificate and private key in a user's personal store and then
>   moving them to the computer's store did not work for me.
> * Your certificate must have "X509v3 Extended Key Usage: TLS Web Client
>   Authentication" or Windows won't use it.
> * The username Windows will use is the name in the certificate with
>   "host/" prepended.
> Note that things are quite different with Windows Vista.
> Hope this helps,
> --
> Nicolas Boullis
> Ecole Centrale Paris
> -
> List info/subscribe/unsubscribe? See 


More information about the Freeradius-Users mailing list