Anything special to apply a server cert by CSR for eap-tls?

luckydog xf luckydogxf at
Fri Dec 14 11:57:42 CET 2018

1. maybe I didn't choose the right cert template, 'RAS and IAS server
template' is used for windows NPS.  Hard to say.
2. I'll try to use 'RAS and IAS server temp' and create a cert and export
it, then check what  does it  require by view it on windows, or openssl
x509 on Linux.

On Fri, Dec 14, 2018 at 6:34 PM luckydog xf <luckydogxf at> wrote:

> The exact error msg is '  the request does not contain a certificate
> template extension or the Certificate Template request attribute.'
> I used make server.csr to generate CSR, and choose RAS and IAS Server
> template which used by NPS of windows, including EKU of
> So I guess some new attribute is added by MS server 2016 CA, which  makes
> CSR created by `make server.csr` isn't  compatible with it.
> Find out a way to export CA of MS CA and sign with it in
> Will try it next week.
> A quick question, is it possible to not use password for client cert ? So
> I'll use Group policy and deploy it on all domain computers.
> All users share the same cert,  is is best practice?
> Thanks.
> On Fri, Dec 14, 2018 at 5:50 PM Matthew Newton <mcn at> wrote:
>> On Fri, 2018-12-14 at 17:33 +0800, luckydog xf wrote:
>> >    Sorry to trouble you again, I create server.csr by make
>> > server.csr, when
>> > I apply a cert by server.csr created by 'make server.csr', MS
>> > Certificiate
>> > Authority said cannot find cert template for my csr.
>> You need to ask whoever runs your CA what that means.
>> The 'Makefile' in the certs dir will use openssl to generate working
>> certificates. It's plain text, so you can see what commands it runs.
>> >    So does anyone have expericenced this and offer me a little help?
>> Make sure the certificates you use have the TLS Web Server
>> Authentication and TLS Web Client Authentication OIDs in them. What
>> method you use to do that doesn't really matter. The CA should be able
>> to add it.
>> --
>> Matthew
>> -
>> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list