I have had to add certs to two different places in Windows in order for
the them be found.
I added them using system32/certmgr -- but that is not enough. I have
found I also need to add them using the certificate control panel in
Internet Explorer. I use certs to sign documents in OpenOffice among
others. If you are finding that you cannot find certs you thought you
had added, try adding them in both of these places.
Lee
Sergio wrote:
Venkata LK Mula escribió:
Hi,
With reference to the above mentioned subject, we have generated
root, server and client certificates in .pfx (p12) and .der format in
FreeRADIUS using OpenSSL, installed these certificates on the Windows
XP client. And when I'm trying to associate the Windows clinet to the
network. it is displaying the message "Windows was unable to find the
certificate to log you on the network Roaming test2". Can any body
lookinto the issue and suggest us with possible solutions for the
same please.
regards,
Venkat
------------------------------------------------------------------------
If you are used freeradius utilities to issue certificates (make
ca.pem, make server.pem, make client.pem, bootstrap command etc) you
need to mark server certificate as CA:true or something like this,
because is the server the issuer of client certs (at least, into
default radius PKI). See and compare ca.cnf and server.cnf and you
will see that default configuration doesn't put issuing permissions
into server certificate, only into ca's. Because server hasn't got
issuing permission, windows are considering that certification route
is broken.You can see it into mozilla or ie.
If you don't want use server certificate to sign client certs, you
can issue them with ca.pem, changing only two options into the
Makefile file (client.pem rule), or you can put your own commands. I
have this configuration and it works perfectly, it's just a different
PKI.
But, if your client certs are now signed by the root authority and
windows was unable to find it, i can't help you more :)
Also, be sure that server and client certs have the correct extensions
to work on XP. This extensions are KeyUsage and a list of numbers
separated by points. Above commands, in this case, add this
extensions. Hope this helps.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
--
Leonard F. Elia III, CISSP 757.864.5009
Sr. System Administrator
ConITS - NASA Langley Research Center
NCI Information Systems, Inc., Hampton VA
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
