WPA Certificate Question

Tue Feb 2 19:36:43 CET 2010

On Sun, 31 Jan 2010, Alan Buxey wrote:

> Hi,
>
>> to these servers" client field, just enter the 'common name' entered on
>> the certificate? I wonder if a wildcard cert would work for this. As in
>> *.myorg.ca, then entering *.myorg.ca for client servers field. Just asking
>> because I have one of those.
>
> depends on supplicant - some understand wildcards...some just need the
> domain name to be specified
>
>> In the README file there is this warning:
>>
>>  	"You will have to ensure that the certificate contains the XP
>>  	extensions needed by Microsoft clients."
>>
>> But I can't find any further information about it. How do I ensure my
>> certificate has these extensions? Would a CA signed cert have this?
>
> check the FreeRADIUS certificate makefile - you can see the xpextensions
> file and the required attributes. you can use the openssl tool to view
> the certificate in text mode - whethr the CA will sign it - you
> may have to request this functionality
>

I generated a server certificate using the provided documentation in the 
certs/README file. I took the generated server.csr and got it signed by 
Thawte (just a 20 day trial cert for now). They provided my certificate 
and I replaced the contents of server.crt with it. Now when I start up 
FreeRadius in debug, I get:

rlm_eap: SSL error error:0B080074:x509 certificate 
routines:X509_check_private_key:key values mismatch
rlm_eap_tls: Error reading private key file 
/usr/local/freeradius/etc/raddb/certs/server.key
rlm_eap: Failed to initialize type tls
/usr/local/freeradius/etc/raddb/eap.conf[17]: Instantiation failed for 
module "eap"
/usr/local/freeradius/etc/raddb/sites-enabled/inner-tunnel[223]: Failed to 
find module "eap".
/usr/local/freeradius/etc/raddb/sites-enabled/inner-tunnel[176]: Errors 
parsing authenticate section.
  }

I did update the private key password in eap.conf, to match the one I used 
in the original signing request. So what did I do wrong?

-Mike