Cannot connect to Win10 PC with client certificate (no connection possible)

Alan DeKok aland at
Tue Jan 14 22:45:19 CET 2020

On Jan 14, 2020, at 2:43 PM, uj2.hahn at wrote:
> While I'm still struggling with my issue I read documentation again and
> again, especially about
> the cert documents.
> Now I'm so confused that I like to come back to some basic questions:
> raddb/certs/README says:
> $ vi client.cnf
> Edit the "input_password" and "output_password" fields to be the
> password for the client certificate. You will have to give these
> passwords to the end user who will be using the certificates.
> and later:
> $ make client.pem
> The users certificate will be in "emailAddress.pem",
> i.e. "user at".
> The bootstrap script is indeed creating this email-like certificate. But
> when I install it on
> the client PC there is no password needed (but installation is
> successfull).

  Yes, a certificate doesn't need a signature.  

> But in addition the bootstrap script generates 5 more client files
> (client.pem, client.key etc.).
> When I install those I'm asked for the password (as expected).
> So: what is the correct file to load into the PC as client cert for

  The client certificate, and the client key.  The certificate has various forms (PEM, CRT, etc.).  You only need one.

> And one more question:
> raddb/certs/README says:
> The following steps will let you create a server certificate for use
> with TLS-based EAP methods, such as EAP-TLS, PEAP, and TTLS. Follow
> similar steps to create an "inner-server.pem" file, for use with
> EAP-TLS that is tunneled inside of another TLS-based EAP method.
> The bootstrap script does not care about this inner-server.cfg config
> file and does not
> generate inner-server.pem. Is it correct? The Makefile does have an
> entry for that
> but this is not used by the bootstrap file.
> Is it on intention?

  Yes.  The inner-server certificate is used for mods-available/inner-eap.  If you don't use that module, then the inner-server certificate isn't necessary.

  Alan DeKok.

More information about the Freeradius-Users mailing list