Windows Phone CA verification debugging

Mathieu Simon mathieu.sim at gmail.com
Mon Sep 16 11:33:56 CEST 2013


Hi,

2013/9/16 <A.L.M.Buxey at lboro.ac.uk>

>
> we've had no problems with self-signed CA or with 3rd party CA and standard
> RADIUS certificate BUT the certificate must have CRLDP (CRL distribution
> point)
> URL defined. that can either be at CA level or RADIUS level - or both.
>
> eg
>
> crlDistributionPoints = URI:http://yoururl.here/ca.crl
>
> in the server extensions.

Thank you Alan, at least good to hear someone is out there who got it
working.

Hmm the server certificate though seems  to contain a CRLDP. I'v tried
removing personal
and attach the openssl output at the end, maybe someone spots a problem...

Do you happen to have Subject Alternate Names or would you avoid it with
RADIUS?
(That certificate does have them) I know for example that some exotic or
(very old)
browsers for example can have problems with SAN, but yet didn't encounter
any with PEAP this far.

The file also contains (in order of appearance): Root CA cert, 1
intermediate CA, then the server cert if
that's of importance.

-- Mathieu

# openssl x509 -text -in /etc/freeradius/certs/myserver.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: <snip!>
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate
Signing, CN=StartCom Class 2 Primary Intermediate Server CA
        Validity
            Not Before: <snip>
            Not After : <snip>
        Subject: ..., C= ... <snip>
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: snip! (yes it's larger than 1024 bit) ;-)
                Modulus:
                <snip>

        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Subject Key Identifier:
                C7:A3:52:3B:4A:15:BD:0E:40:B9:71:95:1B:71:27:57:4E:3D:13:73
            X509v3 Authority Key Identifier:

keyid:11:DB:23:45:FD:54:CC:6A:71:6F:84:8A:03:D7:BE:F7:01:2F:26:86

            X509v3 Subject Alternative Name:
                DNS: <snip!>
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.2
                Policy: 1.3.6.1.4.1.23223.1.2.3
                  CPS: http://www.startssl.com/policy.pdf
                  User Notice:
                    Organization: StartCom Certification Authority
                    Number: 1
                    Explicit Text: This certificate was issued according to
the Class 2 Validation requirements of the StartCom CA policy, reliance
only for the intended purpose in compliance of the relying party
obligations.

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl.startssl.com/crt2-crl.crl

            Authority Information Access:
                OCSP - URI:http://ocsp.startssl.com/sub/class2/server/ca
                CA Issuers - URI:
http://aia.startssl.com/certs/sub.class2.server.ca.crt

            X509v3 Issuer Alternative Name:
                URI:http://www.startssl.com/
    Signature Algorithm: sha1WithRSAEncryption
    <snip>
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130916/6395b045/attachment.html>


More information about the Freeradius-Users mailing list