Cannot connect to Win10 PC with client certificate (no connection possible)

uj2.hahn at uj2.hahn at
Tue Jan 14 20:43:04 CET 2020

 While I'm still struggling with my issue I read documentation again and
again, especially about
 the cert documents.
 Now I'm so confused that I like to come back to some basic questions:

 raddb/certs/README says:

 $ vi client.cnf

 Edit the "input_password" and "output_password" fields to be the
 password for the client certificate. You will have to give these
 passwords to the end user who will be using the certificates.

and later:
 $ make client.pem

 The users certificate will be in "emailAddress.pem",
 i.e. "user at".

The bootstrap script is indeed creating this email-like certificate. But
when I install it on
the client PC there is no password needed (but installation is
But in addition the bootstrap script generates 5 more client files
(client.pem, client.key etc.).
When I install those I'm asked for the password (as expected).
So: what is the correct file to load into the PC as client cert for

And one more question:

raddb/certs/README says:


 The following steps will let you create a server certificate for use
 with TLS-based EAP methods, such as EAP-TLS, PEAP, and TTLS. Follow
 similar steps to create an "inner-server.pem" file, for use with
 EAP-TLS that is tunneled inside of another TLS-based EAP method.

The bootstrap script does not care about this inner-server.cfg config
file and does not
generate inner-server.pem. Is it correct? The Makefile does have an
entry for that
but this is not used by the bootstrap file.
Is it on intention?


On 14.01.2020 17:16, Alan DeKok wrote: 

> On Jan 14, 2020, at 9:13 AM, uj2.hahn at wrote:
> The Windows system decided that it didn't like the server certificate, and stopped doing EAP.
> Where did you get these certs from? Are you using the testing certs from raddb/certs? Those *do* work.
> I created the certs on my side via the method described in freeradius certs folder.

 Then the certs are OK.

> And they do work with my Android devices.
> But I will follow the hint and use the testing certs.

 The important thing is to use the scripts in raddb/certs. They set up
all the various certificate magic that Windows likes.

 It's likely that the certs are OK, and that you're missing some magic
configuration on the Windows side.

 Alan DeKok.

List info/subscribe/unsubscribe? See [1]


More information about the Freeradius-Users mailing list