Anything special to apply a server cert by CSR for eap-tls?

[Matthew Newton]

On Fri, 2018-12-14 at 18:34 +0800, luckydog xf wrote:
> The exact error msg is '  the request does not contain a certificate
> template extension or the Certificate Template request attribute.'
> I used make server.csr to generate CSR, and choose RAS and IAS Server
> template which used by NPS of windows, including EKU of
> 1.3.6.1.5.5.7.3.1.

I'm not sure how else to say "you need to talk to the person who runs
your CA". Looking at Microsoft errors isn't relevant to the FreeRADIUS
list.

> A quick question, is it possible to not use password for client cert?

Yes.

> So I'll use Group policy and deploy it on all domain computers.
> All users share the same cert,  is is best practice?

When one of your users does something bad, you have to reissue a new
certificate to everyone, and you probably don't know who it was anyway?

So no.

-- 
Matthew