WPA Certificate Question
Mike Diggins
mike.diggins at mcmaster.ca
Tue Feb 2 19:36:43 CET 2010
On Sun, 31 Jan 2010, Alan Buxey wrote:
> Hi,
>
>> to these servers" client field, just enter the 'common name' entered on
>> the certificate? I wonder if a wildcard cert would work for this. As in
>> *.myorg.ca, then entering *.myorg.ca for client servers field. Just asking
>> because I have one of those.
>
> depends on supplicant - some understand wildcards...some just need the
> domain name to be specified
>
>> In the README file there is this warning:
>>
>> "You will have to ensure that the certificate contains the XP
>> extensions needed by Microsoft clients."
>>
>> But I can't find any further information about it. How do I ensure my
>> certificate has these extensions? Would a CA signed cert have this?
>
> check the FreeRADIUS certificate makefile - you can see the xpextensions
> file and the required attributes. you can use the openssl tool to view
> the certificate in text mode - whethr the CA will sign it - you
> may have to request this functionality
>
I generated a server certificate using the provided documentation in the
certs/README file. I took the generated server.csr and got it signed by
Thawte (just a 20 day trial cert for now). They provided my certificate
and I replaced the contents of server.crt with it. Now when I start up
FreeRadius in debug, I get:
rlm_eap: SSL error error:0B080074:x509 certificate
routines:X509_check_private_key:key values mismatch
rlm_eap_tls: Error reading private key file
/usr/local/freeradius/etc/raddb/certs/server.key
rlm_eap: Failed to initialize type tls
/usr/local/freeradius/etc/raddb/eap.conf[17]: Instantiation failed for
module "eap"
/usr/local/freeradius/etc/raddb/sites-enabled/inner-tunnel[223]: Failed to
find module "eap".
/usr/local/freeradius/etc/raddb/sites-enabled/inner-tunnel[176]: Errors
parsing authenticate section.
}
I did update the private key password in eap.conf, to match the one I used
in the original signing request. So what did I do wrong?
-Mike
More information about the Freeradius-Users
mailing list