On Thu, 2008-12-11 at 01:13 +0100, [EMAIL PROTECTED] wrote: > >freeradius-2.1.1-2 (rebuild SRPM from Fedora on CentOS 5) > > > >followed instructions in certs/README perfectly - so I believe. > > > >server certs seem fine but generated client cert in Windows shows > >"Windows does not have enough information to verify" and yes, I have > >loaded the 'ca.der' file generated by the instructions on the Windows > >client and that installs in 'Trusted Root Authorities'. The 'client' > >cert seems to install in 'Other People', and does include the > >XPextensions stuff. > > > >So I'm trying to verify the client certificate... > > > ># openssl verify -CAfile ca.pem [EMAIL PROTECTED] > >[EMAIL PROTECTED]: /C=US/ST=Arizona/O=MyOrg/[EMAIL PROTECTED]/[EMAIL > >PROTECTED] > >error 20 at 0 depth lookup:unable to get local issuer certificate > > > >so I figured I would try to verify it against the server file... > ># openssl verify -CAfile server.pem [EMAIL PROTECTED] > >[EMAIL PROTECTED]: /C=US/ST=Arizona/O=MyOrg/CN=Radius Server > >Certificate/[EMAIL PROTECTED] > >error 2 at 1 depth lookup:unable to get issuer certificate > > > >but indeed the server file verifies... > > > ># openssl verify -CAfile ca.pem server.crt > >server.crt: OK > > > ># openssl verify -CAfile ca.pem server.pem > >server.pem: OK > > > >This would seem pretty simple (the directions make it seem simple) > >edited client.cnf > >changed input/output password values to the same, simple value > >changed the e-mail address and cn to the same value as shown above > > > >What am I doing wrong? > > > > Try attached Makefile. It has been altered so client certificates are > signed by the ca and not server certificate. I was unable to > "persuade" up-to-date Windows PCs to accept server certificate as an > Intermediate CA. Changing the issuer resolved the problem. ---- OK - question...
I only re-generated the 'client' certificate but in doing a diff, it appears that every level of cert generation has changed...do I have to start over? Windows is still complaining with new client certificate and yes, system is XP Service Pack 3 so it's pretty much up-to-date Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html