[EMAIL PROTECTED] wrote:
Try attached Makefile. It has been altered so client certificates are
signed by the ca and not server certificate. I was unable to
persuade up-to-date Windows PCs to accept server certificate as an
Intermediate CA. Changing the issuer resolved the problem.
Shouldn't
Shouldn't that be:
$ diff Makefile.20081211 Makefile
92c92
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr
-key $(PASSWORD_SERVER) -out client.crt -extensions xpclient_ext
-extfile xpextensions -config ./client.cnf
---
openssl ca -batch -keyfile ca.key -cert ca.pem
freeradius-2.1.1-2 (rebuild SRPM from Fedora on CentOS 5)
followed instructions in certs/README perfectly - so I believe.
server certs seem fine but generated client cert in Windows shows
Windows does not have enough information to verify and yes, I have
loaded the 'ca.der' file generated by the
On Thu, 2008-12-11 at 01:13 +0100, [EMAIL PROTECTED] wrote:
freeradius-2.1.1-2 (rebuild SRPM from Fedora on CentOS 5)
followed instructions in certs/README perfectly - so I believe.
server certs seem fine but generated client cert in Windows shows
Windows does not have enough information
server certs seem fine but generated client cert in Windows shows
Windows does not have enough information to verify and yes, I have
loaded the 'ca.der' file generated by the instructions on the Windows
client and that installs in 'Trusted Root Authorities'. The 'client'
cert seems to install in
I only re-generated the 'client' certificate but in doing a diff, it
appears that every level of cert generation has changed...do I have to
start over?
You should. Original Makefile was creating ca certificate that was valid
only for 30 days. This one will use value from ca.cnf.
Windows is
On Wed, 2008-12-10 at 19:32 -0500, Jason Wittlin-Cohen wrote:
server certs seem fine but generated client cert in Windows shows
Windows does not have enough information to verify and yes, I have
loaded the 'ca.der' file generated by the instructions on the Windows
client and that installs in
Craig,
Apparently Windows automatically sends non-CA certificates in DER or PEM
format to the Other People' certificate store. More importantly, the
wireless supplicant in Windows XP \will not work with PEM or DER formatted
client certificates. It'll complain that you have no certificate. You
On Thu, 2008-12-11 at 01:49 +0100, [EMAIL PROTECTED] wrote:
I only re-generated the 'client' certificate but in doing a diff, it
appears that every level of cert generation has changed...do I have to
start over?
You should. Original Makefile was creating ca certificate that was valid
only
Is it normal for this 'client' certificate to show Windows does not
have enough information to verify this certificate when you view it?
No. Click on the details and see who is the issuer - server or ca. You
should give users .p12 certificates which can't be installed without a
password used to
Apparently Windows automatically sends non-CA certificates in DER or PEM
format to the Other People' certificate store. More importantly, the
wireless supplicant in Windows XP \will not work with PEM or DER formatted
client certificates. It'll complain that you have no certificate. You must
On Wed, 2008-12-10 at 19:51 -0500, Jason Wittlin-Cohen wrote:
Craig,
Apparently Windows automatically sends non-CA certificates in DER or
PEM format to the Other People' certificate store. More importantly,
the wireless supplicant in Windows XP \will not work with PEM or DER
formatted
Craig,
Have you tried authenticating with the same certificate from a different
computer, or using a different supplicant? The XP supplicant is pretty
awful. If you have an Intel card, you can download the Intel PROset software
for free which has more features than XP's supplicant, supports more
On Wed, 2008-12-10 at 21:36 -0500, Jason Wittlin-Cohen wrote:
Craig,
Have you tried authenticating with the same certificate from a
different computer, or using a different supplicant? The XP supplicant
is pretty awful. If you have an Intel card, you can download the Intel
PROset software
Dave Huff dbhuff at yahoo.com
http://lists.freeradius.org/mailman/listinfo/freeradius-users wrote:
/ For EAP-TLS to work, the client certs have to be
// signed by the server cert.
// Signed by the server cert or by the CA cert? I have a CA that signed the
// server and client certs, and the
.
From: Alan DeKok [EMAIL PROTECTED]
Robert Myers [EMAIL PROTECTED] wrote:
The reason I ask, is that I'm using a client cert signed by my CA to do
eap/tls, and it's working. I have not implemented the server cert as of
yet.
Then it *should* work with PEAP. But I don't know of many
Dave Huff wrote:
.
From: Alan DeKok [EMAIL PROTECTED]
Robert Myers [EMAIL PROTECTED] wrote:
The reason I ask, is that I'm using a client cert signed by my CA to do
eap/tls, and it's working. I have not implemented the server cert as of
yet.
Then it *should* work with PEAP. But I
Dave Huff wrote:
.
From: Alan DeKok [EMAIL PROTECTED]
Robert Myers [EMAIL PROTECTED] wrote:
The reason I ask, is that I'm using a client cert signed
by my CA to
do eap/tls, and it's working. I have not implemented the server
cert as of yet.
Then it *should* work with
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Alan DeKok
Dave Huff [EMAIL PROTECTED] wrote:
rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal
certificate_unknown TLS Alert read:fatal:certificate unknown
SSL is telling FreeRADIUS that
Dave Huff [EMAIL PROTECTED] wrote:
For EAP-TLS to work, the client certs have to be
signed by the server cert.
Signed by the server cert or by the CA cert? I have a CA that signed the
server and client certs, and the eap.conf file knows where server and CA
certs are.
If you're using
Does this only apply if the supplicant uses a server cert during eap/tls?
The reason I ask, is that I'm using a client cert signed by my CA to do
eap/tls, and it's working. I have not implemented the server cert as of
yet.
-Bob
Alan DeKok wrote:
Dave Huff [EMAIL PROTECTED] wrote:
For
Looks like that's set in the users file. As the entry for that email
says DEFAULT.
Dave Huff wrote:
I would like to configure this setup using Freeradius. My WinXP client
(Intel ProSET) supports this, but FR chokes on it when enabled. I've got
PEAP-EAP-MSCHAPV2 working with just
Dave Huff [EMAIL PROTECTED] wrote:
I would like to configure this setup using Freeradius. My WinXP client
(Intel ProSET) supports this, but FR chokes on it when enabled.
Would you be willing to run the serve rin debugging mode, as
suggested in the FAQ, README, INSTALL, and daily on this
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Alan DeKok
Dave Huff [EMAIL PROTECTED] wrote:
I would like to configure this setup using Freeradius. My WinXP
client (Intel ProSET) supports this, but FR chokes on it
when enabled.
Dave Huff [EMAIL PROTECTED] wrote:
rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal
certificate_unknown
TLS Alert read:fatal:certificate unknown
SSL is telling FreeRADIUS that the certificate sent by the client is
bad.
You're probably doing EAP-TLS where the server has one cert, and
25 matches
Mail list logo