Recreated certs, same issue came with the Issuer field. XPExtensions are used. Password is the same in this file an what Freeradius has just changed to protect it.
Here is the batch file I'm using to create the certs. I don't see anything amiss between it and the page you sent.. any ideas? PATH=C:\openssl\bin;C:\ssl1;%path% export LD_LIBRARY_PATH=C:\openssl\lib CD\SSL1 REM CA Creation C:\openssl\bin\openssl req -new -x509 -keyout newreq.pem -out newreq.pem -days 730 -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl pkcs12 -export -in newreq.pem -out root.p12 -cacerts -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl pkcs12 -in root.p12 -out root.pem -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl x509 -inform PEM -outform DER -in root.pem -out root.der REM Client cert Create C:\openssl\bin\openssl req -new -keyout newreq.pem -out newreq.pem -days 730 -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl ca -policy policy_anything -out newcert.pem -passin pass:PassCodeRemoved -key PassCodeRemoved -extensions xpclient_ext -extfile xpexts -infiles newreq.pem C:\openssl\bin\openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out cert-clt.p12 -clcerts -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl pkcs12 -in cert-clt.p12 -out cert-clt.pem -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl x509 -inform PEM -outform DER -in cert-clt.pem -out cert-clt.der REM Server Cert Create C:\openssl\bin\openssl req -new -keyout newreq.pem -out newreq.pem -days 730 -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl ca -policy policy_anything -out newcert.pem -passin pass:PassCodeRemoved -key PassCodeRemoved -extensions xpserver_ext -extfile xpexts -infiles newreq.pem C:\openssl\bin\openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out cert-srv.p12 -clcerts -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl pkcs12 -in cert-srv.p12 -out cert-srv.pem -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl x509 -inform PEM -outform DER -in cert-srv.pem -out cert-srv.der > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:freeradius-users- > [EMAIL PROTECTED] On Behalf Of Jason > Wittlin-Cohen > Sent: Monday, October 09, 2006 12:12 AM > To: freeradius-users@lists.freeradius.org > Subject: EAP-TLS Certificate problems. > > Brian vb said: "Ca is in trusted root stores under "Current User", and > client is in Personal > under "Current User". One thing I see when viewing the certs is the Root > has > "Locker Systems" (using a random name to keep the identity of my company > out > of the certs) as the issuer and the client has SSLeay Demoserver.. looks > like OpenSSL didn't make the certs right for some odd reason.. its like it > used its own CA root or something else happened. I will recreate the certs > but I'm quite sure I entered the same data in all certs except commonname > which I made the same as the machine the cert will reside on. Root ca > common > name didn't match any machine name. Where should the CA be? Machine or > User?" > > First, when you create the server and client certificates you need to use > the Microsoft attributes for > Server and Client authentication. > > [ xpclient_ext] > extendedKeyUsage = 1.3.6.1.5.5.7.3.2 > [ xpserver_ext ] > extendedKeyUsage = 1.3.6.1.5.5.7.3.1 > > I would suggest following the instructions here: > http://www.linuxjournal.com/node/8095/print > The howto is for setup of Freeradius on Linux, but it should be similar on > Windows because > it's the OpenSSL commands that matter when creating the certs. > > In order to find out if the certificate is correct, you can double click > the certifcate in the Personal store > and go to "Certification Path". You should see the certificate common name > as well as the common name of your Root CA. > If you don't something is wrong. You should also see "This certificate is > OK" in the Certificate status box. > If this isn't the case, either the certificate was signed by the wrong CA, > or the Root CA wasn't properly loaded into the User > "Trusted Root Certificate Authorities" store. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html