certificate client.* non valid on windows XP
hi, I use freeradius 2.0.5 and openSUSE 10.3 i ran bootstrap script + make client.pem, make.client.p12, - I imported ca.der on my xp laptop, located at the CA Authorithy containeer. I imported server.p12 too (just to verify the signature) and everything is Ok - But when i import client.p12, windows says me this certificated is not valid! and i dont know why. I executed two commands: server.vrfy and client.vrfy, hoping their output (below) could help. Thank you for helping - linux:/etc/raddb/certs # make server.vrfy openssl verify -CAfile ca.pem server.pem server.pem: OK make client.vrfy openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` MAC verified OK openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` openssl pkcs12 -in client.p12 -out client.pem -passin pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` MAC verified OK cp client.pem `grep emailAddress client.cnf | grep '@' | sed 's/.*=//;s/^ *//'`.pem c_rehash . Doing . 02.pem = eee97f35.0 WARNING: Skipping duplicate certificate [EMAIL PROTECTED] client.pem = 583a9f4b.0 01.pem = dcd1729a.0 WARNING: Skipping duplicate certificate [EMAIL PROTECTED] server.pem = dcd1729a.1 WARNING: Skipping duplicate certificate 03.pem WARNING: Skipping duplicate certificate 04.pem ca.pem = 23537b55.0 openssl verify -CApath . client.pem client.pem: OK _ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: certificate client.* non valid on windows XP
Reveal MAP escribió: hi, I use freeradius 2.0.5 and openSUSE 10.3 i ran bootstrap script + make client.pem, make.client.p12, - I imported ca.der on my xp laptop, located at the CA Authorithy containeer. I imported server.p12 too (just to verify the signature) and everything is Ok - But when i import client.p12, windows says me this certificated is not valid! and i dont know why. I executed two commands: server.vrfy and client.vrfy, hoping their output (below) could help. Thank you for helping - linux:/etc/raddb/certs # make server.vrfy openssl verify -CAfile ca.pem server.pem server.pem: OK make client.vrfy openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` MAC verified OK openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` openssl pkcs12 -in client.p12 -out client.pem -passin pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` MAC verified OK cp client.pem `grep emailAddress client.cnf | grep '@' | sed 's/.*=//;s/^ *//'`.pem c_rehash . Doing . 02.pem = eee97f35.0 WARNING: Skipping duplicate certificate [EMAIL PROTECTED] client.pem = 583a9f4b.0 01.pem = dcd1729a.0 WARNING: Skipping duplicate certificate [EMAIL PROTECTED] server.pem = dcd1729a.1 WARNING: Skipping duplicate certificate 03.pem WARNING: Skipping duplicate certificate 04.pem ca.pem = 23537b55.0 openssl verify -CApath . client.pem client.pem: OK Envoyé avec Yahoo! Mail http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html. Une boite mail plus intelligente. __ Informaci�n de NOD32, revisi�n 3263 (20080711) __ Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Información de NOD32, revisión 3263 (20080711) __ Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com I had the same problem. The fact is that server is an intermediate authotity and, using internet explorer, you need to install server.p12 into intermediate trusted ca containeer. Also check validity period (begining date). I had to change windows date to next day, but I don't remember why. Finally I made my own ca because default radius PKI was confusing me, and I used mi ca private key to sign client.* I hope that this help you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : certificate client.* non valid on windows XP
Thank you Sergio for your answer. - windows says too that one of the certificate authority seems to not be able to deliver certificate or can't be used as final entity... so, I tried what you said: install Server.p12 as intermediate CAr, without resolving the problem. i will try to make my own certs and see. thanks! - I had the same problem. The fact is that server is an intermediate authotity and, using internet explorer, you need to install server.p12 into intermediate trusted ca containeer. Also check validity period (begining date). I had to change windows date to next day, but I don't remember why. Finally I made my own ca because default radius PKI was confusing me, and I used mi ca private key to sign client.* I hope that this help you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Message d'origine De : Sergio [EMAIL PROTECTED] À : FreeRadius users mailing list freeradius-users@lists.freeradius.org Envoyé le : Dimanche, 13 Juillet 2008, 16h09mn 34s Objet : Re: certificate client.* non valid on windows XP Reveal MAP escribió: hi, I use freeradius 2.0.5 and openSUSE 10.3 i ran bootstrap script + make client.pem, make.client.p12, - I imported ca.der on my xp laptop, located at the CA Authorithy containeer. I imported server.p12 too (just to verify the signature) and everything is Ok - But when i import client.p12, windows says me this certificated is not valid! and i dont know why. I executed two commands: server.vrfy and client.vrfy, hoping their output (below) could help. Thank you for helping - linux:/etc/raddb/certs # make server.vrfy openssl verify -CAfile ca.pem server.pem server.pem: OK make client.vrfy openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` MAC verified OK openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` openssl pkcs12 -in client.p12 -out client.pem -passin pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` MAC verified OK cp client.pem `grep emailAddress client.cnf | grep '@' | sed 's/.*=//;s/^ *//'`.pem c_rehash . Doing . 02.pem = eee97f35.0 WARNING: Skipping duplicate certificate [EMAIL PROTECTED] client.pem = 583a9f4b.0 01.pem = dcd1729a.0 WARNING: Skipping duplicate certificate [EMAIL PROTECTED] server.pem = dcd1729a.1 WARNING: Skipping duplicate certificate 03.pem WARNING: Skipping duplicate certificate 04.pem ca.pem = 23537b55.0 openssl verify -CApath . client.pem client.pem: OK Envoyé avec Yahoo! Mail http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html. Une boite mail plus intelligente. __ Informaci�n de NOD32, revisi�n 3263 (20080711) __ Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Información de NOD32, revisión 3263 (20080711) __ Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com _ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : certificate client.* non valid on windows XP
Reveal MAP escribió: Thank you Sergio for your answer. - windows says too that one of the certificate authority seems to not be able to deliver certificate or can't be used as final entity... so, I tried what you said: install Server.p12 as intermediate CAr, without resolving the problem. i will try to make my own certs and see. thanks! - I had the same problem. The fact is that server is an intermediate authotity and, using internet explorer, you need to install server.p12 into intermediate trusted ca containeer. Also check validity period (begining date). I had to change windows date to next day, but I don't remember why. Finally I made my own ca because default radius PKI was confusing me, and I used mi ca private key to sign client.* I hope that this help you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Message d'origine De : Sergio [EMAIL PROTECTED] À : FreeRadius users mailing list freeradius-users@lists.freeradius.org Envoyé le : Dimanche, 13 Juillet 2008, 16h09mn 34s Objet : Re: certificate client.* non valid on windows XP Reveal MAP escribió: hi, I use freeradius 2.0.5 and openSUSE 10.3 i ran bootstrap script + make client.pem, make.client.p12, - I imported ca.der on my xp laptop, located at the CA Authorithy containeer. I imported server.p12 too (just to verify the signature) and everything is Ok - But when i import client.p12, windows says me this certificated is not valid! and i dont know why. I executed two commands: server.vrfy and client.vrfy, hoping their output (below) could help. Thank you for helping - linux:/etc/raddb/certs # make server.vrfy openssl verify -CAfile ca.pem server.pem server.pem: OK make client.vrfy openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` MAC verified OK openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` openssl pkcs12 -in client.p12 -out client.pem -passin pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` MAC verified OK cp client.pem `grep emailAddress client.cnf | grep '@' | sed 's/.*=//;s/^ *//'`.pem c_rehash . Doing . 02.pem = eee97f35.0 WARNING: Skipping duplicate certificate [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] client.pem = 583a9f4b.0 01.pem = dcd1729a.0 WARNING: Skipping duplicate certificate [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] server.pem = dcd1729a.1 WARNING: Skipping duplicate certificate 03.pem WARNING: Skipping duplicate certificate 04.pem ca.pem = 23537b55.0 openssl verify -CApath . client.pem client.pem: OK Envoyé avec Yahoo! Mail http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html. Une boite mail plus intelligente. __ Informaci�n de NOD32, revisi�n 3263 (20080711) __ Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Información de NOD32, revisión 3263 (20080711) __ Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com Envoyé avec Yahoo! Mail http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html. Une boite mail plus intelligente. __ Informaci�n de NOD32, revisi�n 3263 (20080711) __ Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Información de NOD32, revisión 3263 (20080711) __ Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com Try to install server.cer, not server.p12 into intermediate containeer. open client cert with IE and see certification route. If you can see the 3 level route but client cert isn't ok, check dates. I'm sure this works. - List info/subscribe/unsubscribe? See http
Re : Re : certificate client.* non valid on windows XP
Installing ca.der, server.crt and client.crt, i obtain exactly the same result!! - Message d'origine De : Sergio [EMAIL PROTECTED] À : FreeRadius users mailing list freeradius-users@lists.freeradius.org Envoyé le : Dimanche, 13 Juillet 2008, 16h59mn 38s Objet : Re: Re : certificate client.* non valid on windows XP Reveal MAP escribió: Thank you Sergio for your answer. - windows says too that one of the certificate authority seems to not be able to deliver certificate or can't be used as final entity... so, I tried what you said: install Server.p12 as intermediate CAr, without resolving the problem. i will try to make my own certs and see. thanks! - I had the same problem. The fact is that server is an intermediate authotity and, using internet explorer, you need to install server.p12 into intermediate trusted ca containeer. Also check validity period (begining date). I had to change windows date to next day, but I don't remember why. Finally I made my own ca because default radius PKI was confusing me, and I used mi ca private key to sign client.* I hope that this help you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Message d'origine De : Sergio [EMAIL PROTECTED] À : FreeRadius users mailing list freeradius-users@lists.freeradius.org Envoyé le : Dimanche, 13 Juillet 2008, 16h09mn 34s Objet : Re: certificate client.* non valid on windows XP Reveal MAP escribió: hi, I use freeradius 2.0.5 and openSUSE 10.3 i ran bootstrap script + make client.pem, make.client.p12, - I imported ca.der on my xp laptop, located at the CA Authorithy containeer. I imported server.p12 too (just to verify the signature) and everything is Ok - But when i import client.p12, windows says me this certificated is not valid! and i dont know why. I executed two commands: server.vrfy and client.vrfy, hoping their output (below) could help. Thank you for helping - linux:/etc/raddb/certs # make server.vrfy openssl verify -CAfile ca.pem server.pem server.pem: OK make client.vrfy openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` MAC verified OK openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` openssl pkcs12 -in client.p12 -out client.pem -passin pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` MAC verified OK cp client.pem `grep emailAddress client.cnf | grep '@' | sed 's/.*=//;s/^ *//'`.pem c_rehash . Doing . 02.pem = eee97f35.0 WARNING: Skipping duplicate certificate [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] client.pem = 583a9f4b.0 01.pem = dcd1729a.0 WARNING: Skipping duplicate certificate [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] server.pem = dcd1729a.1 WARNING: Skipping duplicate certificate 03.pem WARNING: Skipping duplicate certificate 04.pem ca.pem = 23537b55.0 openssl verify -CApath . client.pem client.pem: OK Envoyé avec Yahoo! Mail http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html. Une boite mail plus intelligente. __ Informaci�n de NOD32, revisi�n 3263 (20080711) __ Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Información de NOD32, revisión 3263 (20080711) __ Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com Envoyé avec Yahoo! Mail http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html. Une boite mail plus intelligente. __ Informaci�n de NOD32, revisi�n 3263 (20080711) __ Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list
Re : certificate client.* non valid on windows XP
Reveal MAP escribió: Installing ca.der, server.crt and client.crt, i obtain exactly the same result!! - Message d'origine De : Sergio [EMAIL PROTECTED] À : FreeRadius users mailing list freeradius-users@lists.freeradius.org Envoyé le : Dimanche, 13 Juillet 2008, 16h59mn 38s Objet : Re: Re : certificate client.* non valid on windows XP Reveal MAP escribió: Thank you Sergio for your answer. - windows says too that one of the certificate authority seems to not be able to deliver certificate or can't be used as final entity... so, I tried what you said: install Server.p12 as intermediate CAr, without resolving the problem. i will try to make my own certs and see. thanks! - I had the same problem. The fact is that server is an intermediate authotity and, using internet explorer, you need to install server.p12 into intermediate trusted ca containeer. Also check validity period (begining date). I had to change windows date to next day, but I don't remember why. Finally I made my own ca because default radius PKI was confusing me, and I used mi ca private key to sign client.* I hope that this help you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Message d'origine De : Sergio [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] À : FreeRadius users mailing list freeradius-users@lists.freeradius.org mailto:freeradius-users@lists.freeradius.org Envoyé le : Dimanche, 13 Juillet 2008, 16h09mn 34s Objet : Re: certificate client.* non valid on windows XP Reveal MAP escribió: hi, I use freeradius 2.0.5 and openSUSE 10.3 i ran bootstrap script + make client.pem, make.client.p12, - I imported ca.der on my xp laptop, located at the CA Authorithy containeer. I imported server.p12 too (just to verify the signature) and everything is Ok - But when i import client.p12, windows says me this certificated is not valid! and i dont know why. I executed two commands: server.vrfy and client.vrfy, hoping their output (below) could help. Thank you for helping - linux:/etc/raddb/certs # make server.vrfy openssl verify -CAfile ca.pem server.pem server.pem: OK make client.vrfy openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` MAC verified OK openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` openssl pkcs12 -in client.p12 -out client.pem -passin pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` MAC verified OK cp client.pem `grep emailAddress client.cnf | grep '@' | sed 's/.*=//;s/^ *//'`.pem c_rehash . Doing . 02.pem = eee97f35.0 WARNING: Skipping duplicate certificate [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] client.pem = 583a9f4b.0 01.pem = dcd1729a.0 WARNING: Skipping duplicate certificate [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] server.pem = dcd1729a.1 WARNING: Skipping duplicate certificate 03.pem WARNING: Skipping duplicate certificate 04.pem ca.pem = 23537b55.0 openssl verify -CApath . client.pem client.pem: OK Envoyé avec Yahoo! Mail http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html. Une boite mail plus intelligente. __ Informaci�n de NOD32, revisi�n 3263 (20080711) __ Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Información de NOD32, revisión 3263 (20080711) __ Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com Envoyé avec Yahoo! Mail http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html. Une boite mail plus intelligente. __ Informaci�n de NOD32, revisi�n 3263 (20080711) __ Este mensaje ha sido analizado
Re : Re : certificate client.* non valid on windows XP
Thanx for your help Sergio, but it is exactly the same!! it doesn't work. - Message d'origine De : Sergio [EMAIL PROTECTED] À : FreeRadius users mailing list freeradius-users@lists.freeradius.org Envoyé le : Dimanche, 13 Juillet 2008, 18h51mn 41s Objet : Re : certificate client.* non valid on windows XP Reveal MAP escribió: Installing ca.der, server.crt and client.crt, i obtain exactly the same result!! - Message d'origine De : Sergio [EMAIL PROTECTED] À : FreeRadius users mailing list freeradius-users@lists.freeradius.org Envoyé le : Dimanche, 13 Juillet 2008, 16h59mn 38s Objet : Re: Re : certificate client.* non valid on windows XP Reveal MAP escribió: Thank you Sergio for your answer. - windows says too that one of the certificate authority seems to not be able to deliver certificate or can't be used as final entity... so, I tried what you said: install Server.p12 as intermediate CAr, without resolving the problem. i will try to make my own certs and see. thanks! - I had the same problem. The fact is that server is an intermediate authotity and, using internet explorer, you need to install server.p12 into intermediate trusted ca containeer. Also check validity period (begining date). I had to change windows date to next day, but I don't remember why. Finally I made my own ca because default radius PKI was confusing me, and I used mi ca private key to sign client.* I hope that this help you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Message d'origine De : Sergio [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] À : FreeRadius users mailing list freeradius-users@lists.freeradius.org mailto:freeradius-users@lists.freeradius.org Envoyé le : Dimanche, 13 Juillet 2008, 16h09mn 34s Objet : Re: certificate client.* non valid on windows XP Reveal MAP escribió: hi, I use freeradius 2.0.5 and openSUSE 10.3 i ran bootstrap script + make client.pem, make.client.p12, - I imported ca.der on my xp laptop, located at the CA Authorithy containeer. I imported server.p12 too (just to verify the signature) and everything is Ok - But when i import client.p12, windows says me this certificated is not valid! and i dont know why. I executed two commands: server.vrfy and client.vrfy, hoping their output (below) could help. Thank you for helping - linux:/etc/raddb/certs # make server.vrfy openssl verify -CAfile ca.pem server.pem server.pem: OK make client.vrfy openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` MAC verified OK openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` openssl pkcs12 -in client.p12 -out client.pem -passin pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` MAC verified OK cp client.pem `grep emailAddress client.cnf | grep '@' | sed 's/.*=//;s/^ *//'`.pem c_rehash . Doing . 02.pem = eee97f35.0 WARNING: Skipping duplicate certificate [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] client.pem = 583a9f4b.0 01.pem = dcd1729a.0 WARNING: Skipping duplicate certificate [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] server.pem = dcd1729a.1 WARNING: Skipping duplicate certificate 03.pem WARNING: Skipping duplicate certificate 04.pem ca.pem = 23537b55.0 openssl verify -CApath . client.pem client.pem: OK Envoyé avec Yahoo! Mail http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html. Une boite mail plus intelligente. __ Informaci�n de NOD32, revisi�n 3263 (20080711) __ Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Información de NOD32, revisión 3263 (20080711) __ Este mensaje ha sido
Re : certificate client.* non valid on windows XP
Reveal MAP escribió: Thanx for your help Sergio, but it is exactly the same!! it doesn't work. - Message d'origine De : Sergio [EMAIL PROTECTED] À : FreeRadius users mailing list freeradius-users@lists.freeradius.org Envoyé le : Dimanche, 13 Juillet 2008, 18h51mn 41s Objet : Re : certificate client.* non valid on windows XP Reveal MAP escribió: Installing ca.der, server.crt and client.crt, i obtain exactly the same result!! - Message d'origine De : Sergio [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] À : FreeRadius users mailing list freeradius-users@lists.freeradius.org mailto:freeradius-users@lists.freeradius.org Envoyé le : Dimanche, 13 Juillet 2008, 16h59mn 38s Objet : Re: Re : certificate client.* non valid on windows XP Reveal MAP escribió: Thank you Sergio for your answer. - windows says too that one of the certificate authority seems to not be able to deliver certificate or can't be used as final entity... so, I tried what you said: install Server.p12 as intermediate CAr, without resolving the problem. i will try to make my own certs and see. thanks! - I had the same problem. The fact is that server is an intermediate authotity and, using internet explorer, you need to install server.p12 into intermediate trusted ca containeer. Also check validity period (begining date). I had to change windows date to next day, but I don't remember why. Finally I made my own ca because default radius PKI was confusing me, and I used mi ca private key to sign client.* I hope that this help you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Message d'origine De : Sergio [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] À : FreeRadius users mailing list freeradius-users@lists.freeradius.org mailto:freeradius-users@lists.freeradius.org mailto:freeradius-users@lists.freeradius.org mailto:freeradius-users@lists.freeradius.org Envoyé le : Dimanche, 13 Juillet 2008, 16h09mn 34s Objet : Re: certificate client.* non valid on windows XP Reveal MAP escribió: hi, I use freeradius 2.0.5 and openSUSE 10.3 i ran bootstrap script + make client.pem, make.client.p12, - I imported ca.der on my xp laptop, located at the CA Authorithy containeer. I imported server.p12 too (just to verify the signature) and everything is Ok - But when i import client.p12, windows says me this certificated is not valid! and i dont know why. I executed two commands: server.vrfy and client.vrfy, hoping their output (below) could help. Thank you for helping - linux:/etc/raddb/certs # make server.vrfy openssl verify -CAfile ca.pem server.pem server.pem: OK make client.vrfy openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` MAC verified OK openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` openssl pkcs12 -in client.p12 -out client.pem -passin pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` MAC verified OK cp client.pem `grep emailAddress client.cnf | grep '@' | sed 's/.*=//;s/^ *//'`.pem c_rehash . Doing . 02.pem = eee97f35.0 WARNING: Skipping duplicate certificate [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] client.pem = 583a9f4b.0 01.pem = dcd1729a.0 WARNING: Skipping duplicate certificate [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] server.pem = dcd1729a.1 WARNING: Skipping duplicate certificate 03.pem WARNING: Skipping duplicate certificate 04.pem ca.pem = 23537b55.0 openssl verify -CApath . client.pem client.pem: OK Envoyé avec Yahoo! Mail http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html. Une boite mail plus intelligente
Re : Re : certificate client.* non valid on windows XP
Thanx a lot guy! I tried to create my own certificate (that i didn't verify), but i still encounter a problem generating the client certificate: the key file and and the .912 file are empty and i don't know why. (size 0 kb), and it gives no error message!! i will try the scripts you gave me... mine are below and could be have a mistake on cleints lines: - - ## # # Create a new self-signed CA certificate # ## # cakey.pem, cacert.pem: openssl req -new -x509 -keyout /etc/raddb/Md5CA/Private/cakey.pem -out /etc/raddb/Md5CA/cacert.pem -config /etc/raddb/Md5CA/conf/ca.cnf ca.der: ca.pem openssl x509 -inform PEM -outform DER -in /etc/raddb/Md5CA/cacert.pem -out /etc/raddb/Md5CA/cacert.der ## # requete de cerificat server openssl req -newkey rsa:1024 -keyout /etc/raddb/Md5CA/keys/radiusserver2_key.pem -out /etc/raddb/Md5CA/req/radiusserver2_cert.req -config /etc/raddb/Md5CA/conf/server.cnf # Signature du certificat server openssl ca -out /etc/raddb/Md5CA/certs/radiusserver2_cert.pem -extensions xpserver_ext -extfile /etc/ssl/xpextensions -infiles /etc/raddb/Md5CA/req/radiusserver2_cert.req === == # requete de cerificat client #openssl req -new -nodes -keyout /etc/raddb/Md5CA/keys/toutou_key.pem -out /etc/raddb/Md5CA/req/toutou_cert.req openssl req -newkey rsa:1024 -keyout /etc/raddb/Md5CA/keys/toutou_key.pem -out /etc/raddb/Md5CA/req/toutou_cert.req -config /etc/raddb/Md5CA/conf/client.cnf # Signature du certificat client openssl ca -out /etc/raddb/certs/Md5CA/certs/toutou_cert.pem -extensions xpclient_ext -extfile /etc/ssl/xpextensions -infiles /etc/raddb/Md5CA/req/toutou_cert.req # conversion du certificat client au format pkcs12 openssl pkcs12 -export -in /etc/raddb/Md5CA/certs/toutou_cert.pem -inkey /etc/raddb/Md5CA/key/toutou_key.pem -out /etc/raddb/Md5CA/certs/p12s/toutou_certs.p12 -clcerts ## # # Miscellaneous rules. # ## index.txt: @touch index.txt serial: @echo '01' serial random: @if [ -e /dev/urandom ] ; then \ dd if=/dev/urandom of=./random count=10 /dev/null 21; \ else \ date ./random; \ fi print: openssl x509 -text -in server.crt printca: openssl x509 -text -in ca.pem clean: @rm -f *~ *old client.csr client.key client.crt client.p12 client.pem # # Run distclean ONLY if there's a CVS directory, AND it points to # cvs.freeradius.org. Otherwise, it would be easy for administrators # to type make distclean, and destroy their CA and server certificates. # distclean: @if [ -d CVS -a `grep -i 'cvs\.freeradius\.org' CVS/Root` ] ; then \ rm -f *~ dh *.csr *.crt *.p12 *.der *.pem *.key index.txt* \ serial* random *\.0 *\.1; \ fi MBA OYONE Joël Lot. El Firdaous Bât GH20, Porte A 204, Appt 8 2 Oulfa Casablanca - Maroc Tél. : +212 69 25 85 70 - Message d'origine De : Sergio [EMAIL PROTECTED] À : FreeRadius users mailing list freeradius-users@lists.freeradius.org Envoyé le : Lundi, 14 Juillet 2008, 21h50mn 42s Objet : Re : certificate client.* non valid on windows XP Reveal MAP escribió: Thanx for your help Sergio, but it is exactly the same!! it doesn't work. - Message d'origine De : Sergio [EMAIL PROTECTED] À : FreeRadius users mailing list freeradius-users@lists.freeradius.org Envoyé le : Dimanche, 13 Juillet 2008, 18h51mn 41s Objet : Re : certificate client.* non valid on windows XP Reveal MAP escribió: Installing ca.der, server.crt and client.crt, i obtain exactly the same result!! - Message d'origine De : Sergio [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] À : FreeRadius users mailing list freeradius-users@lists.freeradius.org mailto:freeradius-users@lists.freeradius.org Envoyé le : Dimanche, 13 Juillet 2008, 16h59mn 38s Objet : Re: Re : certificate client.* non valid on windows XP Reveal MAP escribió: Thank you Sergio for your answer. - windows says too that one of the certificate authority seems to not be able to deliver certificate or can't be used as final entity