SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate

john lists.john at
Tue Jun 16 05:16:19 CEST 2009

For the sake of posterity (e.g future searches on this topic). The
stanza that Ivan replace in the MAKEFILE used to create working
client.p12 files under Windows XP SP3 are:

client.csr client.key: client.cnf
        openssl req -new  -out client.csr -keyout client.key -config

client.crt: client.csr ca.pem ca.key index.txt serial
        openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr
-key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile
xpextensions -config ./client.cnf

client.p12: client.crt
        openssl pkcs12 -export -in client.crt -inkey client.key -out
client.p12  -passin pass:$(PASSWORD_CLIENT) -passout

client.pem: client.p12
        openssl pkcs12 -in client.p12 -out client.pem -passin
pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
        cp client.pem $(USER_NAME).pem

.PHONY: server.vrfy
client.vrfy: ca.pem client.pem
        c_rehash .
        openssl verify -CApath . client.pem

> The makefile you sent me allowd me to generate a correct client.p12
> which cleared up the error reported by windows. Thanks very much. So
> it looks like windows may prefer personal certs signed by the CA
> rather than the server? I can sucessfully use the client cert with the
> "Smart Card or other Certificate" options on Windows XP/SP3 (which
> uses EAP-TLS I believe).

More information about the Freeradius-Users mailing list