Re: XP SP3 an EAP-TLS partly solution

[Alexandros Gougousoudis]

Hi Ivan,

Try signing client certificates with the ca certificate. I have included
modified Makefile for 2.1.3. I have added "make caclient.pem" to
produce client certificates and "cleanca" to remove them. Try
importing caclient.p12 created this way onto the user machine (along
with ca.der) and see if they will work with SP3. They should work with
SP2 as well.
  

Thanks for your reply, but that is already what I do. I have created a 
CA in TinyCA and the server has a signed server-cert and each client has 
a signed client-cert (both with the XP specific usage attributes). The 
CA is of course imported into the trusted authorities branch. The CN ist 
the Computername (because I'am doing a machine-based auth). The certmgr 
in XP says it's a valid and trusted cert. That's how it worked in SP2.

I compared your example-cert with my cert and I can't see a significant 
difference.

Look here for my client-cert:


Certificate:
   Data:
       Version: 3 (0x2)
       Serial Number: 127 (0x7f)
       Signature Algorithm: sha1WithRSAEncryption
       Issuer: C=DE, ST=Berlin, L=Berlin, O=KHB HfM HfS, 
OU=ServiceCenter-IT, 
CN=ServiceCenter-IT_KHB_HfM_HfS/emailaddress=sc...@kh-berlin.de
       Validity
           Not Before: Jan 16 14:24:44 2009 GMT
           Not After : Jan 15 14:24:44 2014 GMT
       Subject: C=DE, ST=Berlin, L=Berlin, O=KHB HfM HfS, 
OU=ServiceCenter-IT, CN=HFS-PA-140109-2
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
           RSA Public Key: (4096 bit)
               Modulus (4096 bit):
                   00:a8:74:46:34:9e:7d:1d:45:71:0d:35:d8:48:ea:
[...]
                   39:72:cf:d8:e5:c8:6c:2e:7f:95:1d:6b:cb:49:78:
                   6f:94:4b
               Exponent: 65537 (0x10001)
       X509v3 extensions:
           X509v3 Basic Constraints:
               CA:FALSE
           Netscape Cert Type:
               SSL Client, S/MIME, Object Signing
           Netscape Comment:
               TinyCA Generated Certificate
           X509v3 Subject Key Identifier:
               DA:29:47:A5:D0:34:CC:D1:94:86:98:A4:65:68:C5:1D:F7:9C:E8:D5
           X509v3 Authority Key Identifier:
               
keyid:B9:39:B6:CE:8A:52:91:2E:AE:CE:16:24:18:B1:F4:D8:30:3D:04:2E
               DirName:/C=DE/ST=Berlin/L=Berlin/O=KHB HfM 
HfS/OU=ServiceCenter-IT/CN=ServiceCenter-IT_KHB_HfM_HfS/emailaddress=sc...@kh-berlin.de
               serial:89:0D:6F:61:AC:0C:E0:05

           X509v3 Issuer Alternative Name:
               email:sc...@kh-berlin.de
           X509v3 Subject Alternative Name:
               DNS:HFS-PA-140109-2
           X509v3 Key Usage: critical
               Digital Signature, Key Encipherment
           X509v3 Extended Key Usage: critical
               TLS Web Client Authentication
   Signature Algorithm: sha1WithRSAEncryption
       10:c4:7c:60:3f:d2:44:de:8b:79:01:d9:ce:3d:0e:af:59:c9:
 [...]
       f7:80:cc:0f:42:db:b3:fd


Don't know what to do. Have you tried a machine-based EAP-TLS with SP3?

TIA
Alex


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html