Hi Robert, >> error 26 : unsupported certificate purpose
It seems the cert gets declined because of a problem with cert extensions. "keyUsage" or "extendedKeyUsage" are typical candidates. In your case, the leaf certificate "CAPF-91d43ef6" has two extensions: Object 00: X509v3 Key Usage Digital Signature, Key Encipherment Object 01: X509v3 Extended Key Usage TLS Web Server Authentication, TLS Web Client Authentication, IPSec End System I would check if an extension is now missing/newly required, or no longer recognized. Try check for differences in the openssl.cnf and freeradius config files between the old Debian system and the new one. Some EAP TLS guides (incl. Cisco) also list extensions "nonRepudiation" and "dataEncipherment", but this is just a guess since you mentioned it works on the old system. >> I have some problems with new Cisco CAPF certs What is the authenticating device? Cisco IP phone? Cheers, Frank
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users