Hi Alan, --- Alan DeKok <[EMAIL PROTECTED]> wrote:
> > That is exactly what happens when the certificate > doesn't have the > proper OID's. > > Alan DeKok. I can be sure the client certificate has the Enhanced Key Usage showing Client Authentication (1.3.6.1.5.5.7.3.2). I have no way to verify whether the server certificate contains proper OID but here is the procedure I generate that certificate: 1. I created a file named xpextensions with the following content: [EMAIL PROTECTED]:/etc/ssl$ cat xpextensions [ xpclient_ext] extendedKeyUsage = 1.3.6.1.5.5.7.3.2 [ xpserver_ext ] extendedKeyUsage = 1.3.6.1.5.5.7.3.1 2. Create the server signing request: [EMAIL PROTECTED]:/etc/ssl$ openssl req -new -nodes -keyout server_key.pem -out server_req.pem -days 730 -config ./openssl.cnf then sign it: [EMAIL PROTECTED]:/etc/ssl$ openssl ca -config ./openssl.cnf \ -policy policy_anything -out server_cert.pem \ -extensions xpserver_ext -extfile ./xpextensions \ -infiles ./server_req.pem 3. Open the signed certificate and delete everything before the line -----BEGIN CERTIFICATE-----. Concatenate it and the key file into a single file [EMAIL PROTECTED]:/etc/ssl$ cat server_key.pem server.cert.pem > \ server_keycert.pem The 3rd step is an extra step that the guide (http://www.linuxjournal.com/node/8095/print) told me to do. Is it correct? I doubt maybe the problem remains in the OpenSSL library bunlded with Ubuntu 6.06. Do you think so? Please advise. TIA, Thai Duong __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html