Anything special to apply a server cert by CSR for eap-tls?

luckydog xf luckydogxf at
Wed Dec 26 08:17:19 CET 2018

I come accross a blog
which suggests that **In AD CS, the template to use is indicated by an
X.509 extension in the certificate signing request (CSR). The template
specifier can be one of two extensions.**

So if I just run command **make server.csr** and do nothing, the cert
request against windows CA would fail as I met before.  Because an X509
extension should be added in CSR.
Something like :
        Requested Extensions:
     # Your Cert template OID
As it's hard to add this extension, so here is a way to fix the error I met

1.  In MS CA, create your server template, duplicate `computer`  and name
it as `temp-computer`, please make sure DNS name is unchecked in Subject
Alternative Name of `temp-computer`. As this required FreeRadius is a
member of MS Active directory.
2.  change server.cnf and make sever.csr.
3. copy server.csr to MS CA.
4. Run-->cmd, run
certreq -submit -attrib “CertificateTemplate:temp-computer"
A window pops up, choose your server.csr file.

5. Done, save your certificate and copy to Freeradius server

 An alternative way is copying MS CA to Freeraidus and signing a server
certiificate.   I'll skip this one.

Over, good luck.

Hope some could fix the scripts of Makefile, add cert template required by
MS CA. :)

Merry X-mas !!!

More information about the Freeradius-Users mailing list