Windows Phone CA verification debugging
Mathieu Simon
mathieu.sim at gmail.com
Mon Sep 16 11:33:56 CEST 2013
Hi,
2013/9/16 <A.L.M.Buxey at lboro.ac.uk>
>
> we've had no problems with self-signed CA or with 3rd party CA and standard
> RADIUS certificate BUT the certificate must have CRLDP (CRL distribution
> point)
> URL defined. that can either be at CA level or RADIUS level - or both.
>
> eg
>
> crlDistributionPoints = URI:http://yoururl.here/ca.crl
>
> in the server extensions.
Thank you Alan, at least good to hear someone is out there who got it
working.
Hmm the server certificate though seems to contain a CRLDP. I'v tried
removing personal
and attach the openssl output at the end, maybe someone spots a problem...
Do you happen to have Subject Alternate Names or would you avoid it with
RADIUS?
(That certificate does have them) I know for example that some exotic or
(very old)
browsers for example can have problems with SAN, but yet didn't encounter
any with PEAP this far.
The file also contains (in order of appearance): Root CA cert, 1
intermediate CA, then the server cert if
that's of importance.
-- Mathieu
# openssl x509 -text -in /etc/freeradius/certs/myserver.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: <snip!>
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate
Signing, CN=StartCom Class 2 Primary Intermediate Server CA
Validity
Not Before: <snip>
Not After : <snip>
Subject: ..., C= ... <snip>
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: snip! (yes it's larger than 1024 bit) ;-)
Modulus:
<snip>
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment, Key Agreement
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Subject Key Identifier:
C7:A3:52:3B:4A:15:BD:0E:40:B9:71:95:1B:71:27:57:4E:3D:13:73
X509v3 Authority Key Identifier:
keyid:11:DB:23:45:FD:54:CC:6A:71:6F:84:8A:03:D7:BE:F7:01:2F:26:86
X509v3 Subject Alternative Name:
DNS: <snip!>
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.2
Policy: 1.3.6.1.4.1.23223.1.2.3
CPS: http://www.startssl.com/policy.pdf
User Notice:
Organization: StartCom Certification Authority
Number: 1
Explicit Text: This certificate was issued according to
the Class 2 Validation requirements of the StartCom CA policy, reliance
only for the intended purpose in compliance of the relying party
obligations.
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.startssl.com/crt2-crl.crl
Authority Information Access:
OCSP - URI:http://ocsp.startssl.com/sub/class2/server/ca
CA Issuers - URI:
http://aia.startssl.com/certs/sub.class2.server.ca.crt
X509v3 Issuer Alternative Name:
URI:http://www.startssl.com/
Signature Algorithm: sha1WithRSAEncryption
<snip>
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130916/6395b045/attachment.html>
More information about the Freeradius-Users
mailing list