Server certificate confusion

Nick Howitt nick at
Wed Apr 18 11:40:06 CEST 2018

On 17/04/2018 14:35, Nick Howitt wrote:
> On 17/04/2018 13:55, Alan DeKok wrote:
>> On Apr 17, 2018, at 5:24 AM, Nick Howitt <nick at> wrote:
>>> Replying to my own post.
>>> There was a permission problem which I've now fixed, but I still get 
>>> failure:
>>> eapol_test:
>>>    (6) eap_tls:   ERROR: SSL says error 26 : unsupported certificate
>>>    purpose
>>    That means that the certificate hierarchy is wrong.  i.e. cert A 
>> has created cert B, but cert A doesn't have OIDs which say it's 
>> allowed to create sub-certificates.
>>    Newer versions of OpenSSL check these settings.  Older versions of 
>> OpenSSL didn't do that.
>>    How did you create the certificates?  The scripts in the 
>> raddb/certs directory should work, so using those would probably help.
>>    Alan DeKok.
>> -
>> List info/subscribe/unsubscribe? See 
> Thanks for the reply. The distro, ClearOS is working in a slightly 
> funny way. The CA is created from (adjusted expanding the variables 
> with the config file):
> openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep 
> default_days /etc/raddb/certs/ca.cnf | sed 's/.*=//;s/^ *//'` -config 
> /etc/raddb/certs/ca.cnf
> It is a little tortuous with how it gets here, but it is using the 
> default ca.cnf file using freeradius-3.0.13-8.el7_4.x86_64. Checking 
> the generated CA, I see:
>             X509v3 Basic Constraints: critical
>                 CA:TRUE
>  Nick
> -
> List info/subscribe/unsubscribe? See 
Hello Alan,

I've reverted the set up to use the standard Freeradius certs and I've 
been through the certs README, deleting all certificates  and recreating 
the ca.pem and server certs (btw I think the order in the README is 
wrong as you need to create the server.csr before the server.pem) and 
I've hit the same "(6) eap_tls:   ERROR: SSL says error 26 : unsupported 
certificate purpose" issue when running eapol_test with the new certs. 
If I remove the "-extensions xpserver_ext -extfile xpextensions" from 
the makefile and recreate the server.pem, the eapol_test passes but 
presumably the certs will be rejected by M$ Windows.


More information about the Freeradius-Users mailing list