Hi Ivan,
Try signing client certificates with the ca certificate. I have included
modified Makefile for 2.1.3. I have added "make caclient.pem" to
produce client certificates and "cleanca" to remove them. Try
importing caclient.p12 created this way onto the user machine (along
with ca.der) and see if they will work with SP3. They should work with
SP2 as well.
Thanks for your reply, but that is already what I do. I have created a
CA in TinyCA and the server has a signed server-cert and each client has
a signed client-cert (both with the XP specific usage attributes). The
CA is of course imported into the trusted authorities branch. The CN ist
the Computername (because I'am doing a machine-based auth). The certmgr
in XP says it's a valid and trusted cert. That's how it worked in SP2.
I compared your example-cert with my cert and I can't see a significant
difference.
Look here for my client-cert:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 127 (0x7f)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=DE, ST=Berlin, L=Berlin, O=KHB HfM HfS,
OU=ServiceCenter-IT,
CN=ServiceCenter-IT_KHB_HfM_HfS/emailaddress=sc...@kh-berlin.de
Validity
Not Before: Jan 16 14:24:44 2009 GMT
Not After : Jan 15 14:24:44 2014 GMT
Subject: C=DE, ST=Berlin, L=Berlin, O=KHB HfM HfS,
OU=ServiceCenter-IT, CN=HFS-PA-140109-2
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (4096 bit)
Modulus (4096 bit):
00:a8:74:46:34:9e:7d:1d:45:71:0d:35:d8:48:ea:
[...]
39:72:cf:d8:e5:c8:6c:2e:7f:95:1d:6b:cb:49:78:
6f:94:4b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME, Object Signing
Netscape Comment:
TinyCA Generated Certificate
X509v3 Subject Key Identifier:
DA:29:47:A5:D0:34:CC:D1:94:86:98:A4:65:68:C5:1D:F7:9C:E8:D5
X509v3 Authority Key Identifier:
keyid:B9:39:B6:CE:8A:52:91:2E:AE:CE:16:24:18:B1:F4:D8:30:3D:04:2E
DirName:/C=DE/ST=Berlin/L=Berlin/O=KHB HfM
HfS/OU=ServiceCenter-IT/CN=ServiceCenter-IT_KHB_HfM_HfS/emailaddress=sc...@kh-berlin.de
serial:89:0D:6F:61:AC:0C:E0:05
X509v3 Issuer Alternative Name:
email:sc...@kh-berlin.de
X509v3 Subject Alternative Name:
DNS:HFS-PA-140109-2
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage: critical
TLS Web Client Authentication
Signature Algorithm: sha1WithRSAEncryption
10:c4:7c:60:3f:d2:44:de:8b:79:01:d9:ce:3d:0e:af:59:c9:
[...]
f7:80:cc:0f:42:db:b3:fd
Don't know what to do. Have you tried a machine-based EAP-TLS with SP3?
TIA
Alex
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html