Anything special to apply a server cert by CSR for eap-tls?

luckydog xf luckydogxf at
Fri Dec 14 11:34:23 CET 2018

The exact error msg is '  the request does not contain a certificate
template extension or the Certificate Template request attribute.'
I used make server.csr to generate CSR, and choose RAS and IAS Server
template which used by NPS of windows, including EKU of

So I guess some new attribute is added by MS server 2016 CA, which  makes
CSR created by `make server.csr` isn't  compatible with it.

Find out a way to export CA of MS CA and sign with it in
Will try it next week.

A quick question, is it possible to not use password for client cert ? So
I'll use Group policy and deploy it on all domain computers.
All users share the same cert,  is is best practice?


On Fri, Dec 14, 2018 at 5:50 PM Matthew Newton <mcn at> wrote:

> On Fri, 2018-12-14 at 17:33 +0800, luckydog xf wrote:
> >    Sorry to trouble you again, I create server.csr by make
> > server.csr, when
> > I apply a cert by server.csr created by 'make server.csr', MS
> > Certificiate
> > Authority said cannot find cert template for my csr.
> You need to ask whoever runs your CA what that means.
> The 'Makefile' in the certs dir will use openssl to generate working
> certificates. It's plain text, so you can see what commands it runs.
> >    So does anyone have expericenced this and offer me a little help?
> Make sure the certificates you use have the TLS Web Server
> Authentication and TLS Web Client Authentication OIDs in them. What
> method you use to do that doesn't really matter. The CA should be able
> to add it.
> --
> Matthew
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list