chain certificate problem

Stefan Winter stefan.winter at restena.lu
Fri Nov 8 20:40:35 CET 2013


Hi,

> Thank you for the answers. I have concatenate the ssl certificate with the intermediate certificates, dos2unix the result, and add some CR.
> At this point, windows accepts my certificate, but complains that it is not an "anchor" and that My server doesn't support "NPS bla blah blah". I don't see what is the meaning of this. 
>
> With OSX, I must accept manually my certficate. It doesn't make sense for me, because all the chain is now valid (since the root CA is in the store. 
>
> Thank you anyway. It is  a lot better.

It's not good until it works :-) Some OSes are more picky than others
when it comes to accepting certificates. There are many more parameters
than "the chain is okay". I don*t know if you are working in an eduroam
context or not, but our EAP server cert recommendation pages might help
in any case. See here:

https://confluence.terena.org/display/H2eduroam/How+to+deploy+eduroam+on-site+or+on+campus#Howtodeployeduroamon-siteoroncampus-EAPServercertificateconsiderations

And the "is not an NPS server" nonsense is unrelated to the certs, IIRC.
Don't recall which option to set/unset in the client from the top of my
head though, sorry.

Greetings,

Stefan Winter


More information about the Freeradius-Users mailing list