>freeradius-2.1.1-2 (rebuild SRPM from Fedora on CentOS 5) > >followed instructions in certs/README perfectly - so I believe. > >server certs seem fine but generated client cert in Windows shows >"Windows does not have enough information to verify" and yes, I have >loaded the 'ca.der' file generated by the instructions on the Windows >client and that installs in 'Trusted Root Authorities'. The 'client' >cert seems to install in 'Other People', and does include the >XPextensions stuff. > >So I'm trying to verify the client certificate... > ># openssl verify -CAfile ca.pem [EMAIL PROTECTED] >[EMAIL PROTECTED]: /C=US/ST=Arizona/O=MyOrg/[EMAIL PROTECTED]/[EMAIL PROTECTED] >error 20 at 0 depth lookup:unable to get local issuer certificate > >so I figured I would try to verify it against the server file... ># openssl verify -CAfile server.pem [EMAIL PROTECTED] >[EMAIL PROTECTED]: /C=US/ST=Arizona/O=MyOrg/CN=Radius Server >Certificate/[EMAIL PROTECTED] >error 2 at 1 depth lookup:unable to get issuer certificate > >but indeed the server file verifies... > ># openssl verify -CAfile ca.pem server.crt >server.crt: OK > ># openssl verify -CAfile ca.pem server.pem >server.pem: OK > >This would seem pretty simple (the directions make it seem simple) >edited client.cnf >changed input/output password values to the same, simple value >changed the e-mail address and cn to the same value as shown above > >What am I doing wrong? >
Try attached Makefile. It has been altered so client certificates are signed by the ca and not server certificate. I was unable to "persuade" up-to-date Windows PCs to accept server certificate as an Intermediate CA. Changing the issuer resolved the problem. Ivan Kalik Kalik Informatika ISP
Makefile
Description: Binary data
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html