I think I found a reason. In the root and sub CA certificates there was *Extended Key Usage* set to "OCSP Signing" what limited using of any user certificate issued by those CAs to "OCSP Signing" purpose. / 4.2.1.12. Extended Key Usage This extension indicates one or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension. In general, this extension will appear only in end entity certificates. [RFC 5280]/
After removing EKU OIDs from CA certificate everything works fine. But I sill cannot understand why FR allowed to connect when I had removed Sub2_CA certificate from cert store. Gabriel -- View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-TLS-Windows-7-Problem-with-chain-certificate-on-the-client-side-tp5664334p5675822.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html