Hi,
I found a problem with a client cert in Windows certificate store, after
all three certs have been installed. The server cert is considered
invalid, because it lacks the privilege to sign further certs.
I hacked the Makefile a little bit, to generate client certs signed by
CA cert
[EMAIL PROTECTED] wrote:
Try attached Makefile. It has been altered so client certificates are
signed by the ca and not server certificate. I was unable to
persuade up-to-date Windows PCs to accept server certificate as an
Intermediate CA. Changing the issuer resolved the problem.
Shouldn't
Shouldn't that be:
$ diff Makefile.20081211 Makefile
92c92
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr
-key $(PASSWORD_SERVER) -out client.crt -extensions xpclient_ext
-extfile xpextensions -config ./client.cnf
---
openssl ca -batch -keyfile ca.key -cert ca.pem
freeradius-2.1.1-2 (rebuild SRPM from Fedora on CentOS 5)
followed instructions in certs/README perfectly - so I believe.
server certs seem fine but generated client cert in Windows shows
Windows does not have enough information to verify and yes, I have
loaded the 'ca.der' file generated by the
freeradius-2.1.1-2 (rebuild SRPM from Fedora on CentOS 5)
followed instructions in certs/README perfectly - so I believe.
server certs seem fine but generated client cert in Windows shows
Windows does not have enough information to verify and yes, I have
loaded the 'ca.der' file generated by the
On Thu, 2008-12-11 at 01:13 +0100, [EMAIL PROTECTED] wrote:
freeradius-2.1.1-2 (rebuild SRPM from Fedora on CentOS 5)
followed instructions in certs/README perfectly - so I believe.
server certs seem fine but generated client cert in Windows shows
Windows does not have enough information
server certs seem fine but generated client cert in Windows shows
Windows does not have enough information to verify and yes, I have
loaded the 'ca.der' file generated by the instructions on the Windows
client and that installs in 'Trusted Root Authorities'. The 'client'
cert seems to install in
I only re-generated the 'client' certificate but in doing a diff, it
appears that every level of cert generation has changed...do I have to
start over?
You should. Original Makefile was creating ca certificate that was valid
only for 30 days. This one will use value from ca.cnf.
Windows is
On Wed, 2008-12-10 at 19:32 -0500, Jason Wittlin-Cohen wrote:
server certs seem fine but generated client cert in Windows shows
Windows does not have enough information to verify and yes, I have
loaded the 'ca.der' file generated by the instructions on the Windows
client and that installs in
Craig,
Apparently Windows automatically sends non-CA certificates in DER or PEM
format to the Other People' certificate store. More importantly, the
wireless supplicant in Windows XP \will not work with PEM or DER formatted
client certificates. It'll complain that you have no certificate. You
On Thu, 2008-12-11 at 01:49 +0100, [EMAIL PROTECTED] wrote:
I only re-generated the 'client' certificate but in doing a diff, it
appears that every level of cert generation has changed...do I have to
start over?
You should. Original Makefile was creating ca certificate that was valid
only
Is it normal for this 'client' certificate to show Windows does not
have enough information to verify this certificate when you view it?
No. Click on the details and see who is the issuer - server or ca. You
should give users .p12 certificates which can't be installed without a
password used to
Apparently Windows automatically sends non-CA certificates in DER or PEM
format to the Other People' certificate store. More importantly, the
wireless supplicant in Windows XP \will not work with PEM or DER formatted
client certificates. It'll complain that you have no certificate. You must
On Wed, 2008-12-10 at 19:51 -0500, Jason Wittlin-Cohen wrote:
Craig,
Apparently Windows automatically sends non-CA certificates in DER or
PEM format to the Other People' certificate store. More importantly,
the wireless supplicant in Windows XP \will not work with PEM or DER
formatted
Craig,
Have you tried authenticating with the same certificate from a different
computer, or using a different supplicant? The XP supplicant is pretty
awful. If you have an Intel card, you can download the Intel PROset software
for free which has more features than XP's supplicant, supports more
On Wed, 2008-12-10 at 21:36 -0500, Jason Wittlin-Cohen wrote:
Craig,
Have you tried authenticating with the same certificate from a
different computer, or using a different supplicant? The XP supplicant
is pretty awful. If you have an Intel card, you can download the Intel
PROset software
Sergio escribió:
Hi,
also was so many others. At this time i have got one eap module which
authenticates users under a PKI. My client certs are issued by root ca
(ca.pem) and everything works. I can manage the crl, because it is
public, and authenticate any user against any server. So my
Hi,
also was so many others. At this time i have got one eap module which
authenticates users under a PKI. My client certs are issued by root ca
(ca.pem) and everything works. I can manage the crl, because it is
public, and authenticate any user against any server. So my question is,
what's
Is it possible to disable FreeRadius's checking of
client certificates using EAP-TLS-PEAP? Certs can be quick a bother and a huge
maintenance over-head. Thanks.
FreeRadius 1.1.3
Travis J. WeaverSoftware EngineerOberon,
Inc.1315 S. Allen St.Suite 405State College, PA 16801phone:
devel [EMAIL PROTECTED] wrote:
Is it possible to disable FreeRadius's checking of client certificates
using EAP-TLS-PEAP? Certs can be quick a bother and a huge maintenance
over-head. Thanks.
Huh? Client certs are used for PEAP only when you deploy client
certs to the end-user machines
.
Thanks.
Travis
- Original Message -
From: Alan DeKok [EMAIL PROTECTED]
To: devel [EMAIL PROTECTED]; FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Sent: Tuesday, October 10, 2006 10:27 AM
Subject: Re: disable FreeRadius checking of client certs
devel [EMAIL
devel [EMAIL PROTECTED] wrote:
Well, I have not issued certs to clients. Some of my clients have the
option to log in with a username OR a cert. However, there are a few
random Linksys cards (I guess I should have mentioned this was for Wifi/WPA)
that I MUST provide a username and a
the problem
Travis
- Original Message -
From: Artur Hecker [EMAIL PROTECTED]
To: devel [EMAIL PROTECTED]; FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Sent: Tuesday, October 10, 2006 12:42 PM
Subject: Re: disable FreeRadius checking of client certs
Hi Travis
Dave Huff dbhuff at yahoo.com
http://lists.freeradius.org/mailman/listinfo/freeradius-users wrote:
/ For EAP-TLS to work, the client certs have to be
// signed by the server cert.
// Signed by the server cert or by the CA cert? I have a CA that signed the
// server and client certs
people
that use client certs with PEAP. I suspect no one has tested that,
and that the client may be doing something different than with EAP-TLS.
My suggestion is don't use client certs with PEAP.
Alan DeKok.
Ah well, I'm trying to authenticate both a machine (cert) and a user
(password
don't know of many people
that use client certs with PEAP. I suspect no one has tested that,
and that the client may be doing something different than with EAP-TLS.
My suggestion is don't use client certs with PEAP.
Alan DeKok.
Ah well, I'm trying to authenticate both a machine (cert
with PEAP. But I don't know of many people
that use client certs with PEAP. I suspect no one has
tested that,
and that the client may be doing something different than
with EAP-TLS.
My suggestion is don't use client certs with PEAP.
Alan DeKok.
Ah well, I'm trying
that the certificate sent by the
client is bad.
That's what I thought too, but I configured the CA, server, and client certs
all on Openssl pretty much like
http://www.cisco.com/en/US/products/ps6379/products_configuration_guide_chap
ter09186a00805ac269.html
Windows is using the cert I installed from
Dave Huff [EMAIL PROTECTED] wrote:
For EAP-TLS to work, the client certs have to be
signed by the server cert.
Signed by the server cert or by the CA cert? I have a CA that signed the
server and client certs, and the eap.conf file knows where server and CA
certs are.
If you're using
:
For EAP-TLS to work, the client certs have to be
signed by the server cert.
Signed by the server cert or by the CA cert? I have a CA that signed the
server and client certs, and the eap.conf file knows where server and CA
certs are.
If you're using 1.0.x, that won't work. It doesn't
I would like to configure this setup using Freeradius. My WinXP client
(Intel ProSET) supports this, but FR chokes on it when enabled. I've got
PEAP-EAP-MSCHAPV2 working with just password authentication.
I noted this
Looks like that's set in the users file. As the entry for that email
says DEFAULT.
Dave Huff wrote:
I would like to configure this setup using Freeradius. My WinXP client
(Intel ProSET) supports this, but FR chokes on it when enabled. I've got
PEAP-EAP-MSCHAPV2 working with just
Dave Huff [EMAIL PROTECTED] wrote:
I would like to configure this setup using Freeradius. My WinXP client
(Intel ProSET) supports this, but FR chokes on it when enabled.
Would you be willing to run the serve rin debugging mode, as
suggested in the FAQ, README, INSTALL, and daily on this
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Alan DeKok
Dave Huff [EMAIL PROTECTED] wrote:
I would like to configure this setup using Freeradius. My WinXP
client (Intel ProSET) supports this, but FR chokes on it
when enabled.
, and the
client has cert signed by someone else entirely. For EAP-TLS to work,
the client certs have to be signed by the server cert.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Wed, 16 Mar 2005 00:27:03 -0600, Jon Franklin [EMAIL PROTECTED] wrote:
On Wed, 16 Mar 2005 00:09:09 -0600, David Duchscher [EMAIL PROTECTED] wrote:
I am a little behind you at the moment so really hoping this helps you.
Have you set CA_path in the configuration file to point somewhere
Jon Franklin wrote:
I tried using my own hand-generated SSL certs, as well as a set
generated by the certs.sh script, and get the same type of problem.
Question: if the CA_file certificate contains a private key, would
this cause my problem? I don't think it has one, but can't say with
certainty
Jon Franklin [EMAIL PROTECTED] wrote:
On a follow-up to this, I found that the certificate I was using
(Thawte Freemail Member) was being validated against a set of root
certs in /usr/share/ssl/certs/ca-bundle.crt (I'm using Fedora Core 3,
btw).
There's probably some global OpenSSL config
On Mar 15, 2005, at 11:46 PM, Jon Franklin wrote:
On Tue, 15 Mar 2005 18:59:02 -0500, Alan DeKok [EMAIL PROTECTED] wrote:
Jon Franklin [EMAIL PROTECTED] wrote:
On a follow-up to this, I found that the certificate I was using
(Thawte Freemail Member) was being validated against a set of root
certs
On Wed, 16 Mar 2005 00:09:09 -0600, David Duchscher [EMAIL PROTECTED] wrote:
I am a little behind you at the moment so really hoping this helps you.
Have you set CA_path in the configuration file to point somewhere else?
From the code, it looks like CA_path is set to default if you don't
to lock it down.
Is there a way to configure freeradius to only accept client certs
issued by a specific CA? Either that or only allow a specific set of
certs (say, copies of the certs in a directory, for example), either
way would be fine for my purposes.
--
Jon Franklin
[EMAIL PROTECTED]
-
List
certificate I want, and freeradius will allow the client through.
This presents a major security hole in my configuration, and I can't
seem to figure out how to lock it down.
Is there a way to configure freeradius to only accept client certs
issued by a specific CA? Either that or only allow
42 matches
Mail list logo
