Anything special to apply a server cert by CSR for eap-tls?
luckydogxf at gmail.com
Fri Dec 14 11:57:42 CET 2018
1. maybe I didn't choose the right cert template, 'RAS and IAS server
template' is used for windows NPS. Hard to say.
2. I'll try to use 'RAS and IAS server temp' and create a cert and export
it, then check what does it require by view it on windows, or openssl
x509 on Linux.
On Fri, Dec 14, 2018 at 6:34 PM luckydog xf <luckydogxf at gmail.com> wrote:
> The exact error msg is ' the request does not contain a certificate
> template extension or the Certificate Template request attribute.'
> I used make server.csr to generate CSR, and choose RAS and IAS Server
> template which used by NPS of windows, including EKU of 18.104.22.168.22.214.171.124.1.
> So I guess some new attribute is added by MS server 2016 CA, which makes
> CSR created by `make server.csr` isn't compatible with it.
> Find out a way to export CA of MS CA and sign with it in
> Will try it next week.
> A quick question, is it possible to not use password for client cert ? So
> I'll use Group policy and deploy it on all domain computers.
> All users share the same cert, is is best practice?
> On Fri, Dec 14, 2018 at 5:50 PM Matthew Newton <mcn at freeradius.org> wrote:
>> On Fri, 2018-12-14 at 17:33 +0800, luckydog xf wrote:
>> > Sorry to trouble you again, I create server.csr by make
>> > server.csr, when
>> > I apply a cert by server.csr created by 'make server.csr', MS
>> > Certificiate
>> > Authority said cannot find cert template for my csr.
>> You need to ask whoever runs your CA what that means.
>> The 'Makefile' in the certs dir will use openssl to generate working
>> certificates. It's plain text, so you can see what commands it runs.
>> > So does anyone have expericenced this and offer me a little help?
>> Make sure the certificates you use have the TLS Web Server
>> Authentication and TLS Web Client Authentication OIDs in them. What
>> method you use to do that doesn't really matter. The CA should be able
>> to add it.
>> List info/subscribe/unsubscribe? See
More information about the Freeradius-Users