Generating a Microsoft compatible CSR for FreeRADIUS

Christ Schlacta lists at
Fri Jan 21 01:05:53 CET 2011

2 issues
1) is there a listing somewhere of all OIDs and what they all mean to
windows (XP) ?

2) Issuing client certs isn't that difficult.  with windows vista/7,
installing a cert is a simple double-click operation, so if they have a usb
flash, you can use linux to zip a copy of their private key and a .doc with
instructions (including screenies!) on configuring their OS in a matter of
seconds, all they have to do is stop by IT to request a key once, and it's
good for as long as you honour it.

On Thu, Jan 20, 2011 at 3:10 PM, Alan Buxey <A.L.M.Buxey at> wrote:

> Hi,
> > > To clarify, they can pretend to be a valid server, because *anyone*
> signed by Verisign is a valid server.
> >
> > > To go one step further, they can have verisign sign a CA, and then use
> that CA to create *any* certificate they want,
> > > including one which pretends to be your server.  Most users won't
> bother reading the entire certificate chain.
> > > They'll just see "" (or >whatever) and click "OK".
> >
> > Ahh , I see what you mean.  Thank you for the clarification.  The masses
> of undereducated and/or apathetic users out there are the biggest challenges
> facing IT pros.
> aye. this is why a self-signed cert can be beneficial...its a closed-loop
> system
> then - only your own users ever authenticate against your server (ie use
> the
> SSL cert to create an EAP tunnel to do things) - external users/visitors
> would
> be proxied off to their home site (eg if using eduroam) - so you dont need
> to
> worry about them getting the CA onto their system.
> you can shore things up a bit by ensuring that the clients are configured
> to
> only trust the CA you've chosen...and filled in the RADIUS server name
> (well,
> its CN from the SSL cert it provides when making the tunnel). but, once
> again, thats getting things done right... most users with most OS's will
> just click on the SSID and fill in basic details when prompted  (I guess
> at least a lot of pain is now gone from 802.1X network connections....quick
> and dirty).
> PS dealing with public CA's isnt always so clear cut and quick - sometimes
> the OS needs to be updated/patched before the CA is available...or updated
> CA is supplied...and sometimes the train of trust changes so what was a CA
> becomes an intermediary etc - so you have to deal with those cases too.
> PS as already said, the extensions you need are documented and provided
> in the 'xpextensions' file - they're basically how windows decides
> 'purpose'
> of the cert. tiresome really.
> alan
> -
> List info/subscribe/unsubscribe? See
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list