Cannot connect to Win10 PC with client certificate (no connection possible)

Alan DeKok aland at deployingradius.com
Tue Jan 14 22:45:19 CET 2020 

On Jan 14, 2020, at 2:43 PM, uj2.hahn at posteo.de wrote:
> While I'm still struggling with my issue I read documentation again and
> again, especially about
> the cert documents.
> Now I'm so confused that I like to come back to some basic questions:
> 
> raddb/certs/README says:
> 
> $ vi client.cnf
> 
> Edit the "input_password" and "output_password" fields to be the
> password for the client certificate. You will have to give these
> passwords to the end user who will be using the certificates.
> 
> and later:
> $ make client.pem
> 
> The users certificate will be in "emailAddress.pem",
> i.e. "user at example.com.pem".
> 
> The bootstrap script is indeed creating this email-like certificate. But
> when I install it on
> the client PC there is no password needed (but installation is
> successfull).

  Yes, a certificate doesn't need a signature.  

> But in addition the bootstrap script generates 5 more client files
> (client.pem, client.key etc.).
> When I install those I'm asked for the password (as expected).
> So: what is the correct file to load into the PC as client cert for
> EAP-TLS?

  The client certificate, and the client key.  The certificate has various forms (PEM, CRT, etc.).  You only need one.

> And one more question:
> 
> raddb/certs/README says:
> 
> MAKING A SERVER CERTIFICATE
> 
> The following steps will let you create a server certificate for use
> with TLS-based EAP methods, such as EAP-TLS, PEAP, and TTLS. Follow
> similar steps to create an "inner-server.pem" file, for use with
> EAP-TLS that is tunneled inside of another TLS-based EAP method.
> 
> The bootstrap script does not care about this inner-server.cfg config
> file and does not
> generate inner-server.pem. Is it correct? The Makefile does have an
> entry for that
> but this is not used by the bootstrap file.
> Is it on intention?

  Yes.  The inner-server certificate is used for mods-available/inner-eap.  If you don't use that module, then the inner-server certificate isn't necessary.

  Alan DeKok.

More information about the Freeradius-Users mailing list