On Fri, Oct 22, 2004, Meadows, Loris C wrote: > We are about to roll-out freeRADIUS servers to 1,700 schools. freeRADIUS and > openSSL will be used for 802.1x security of our wireless networks. > > Notebooks that have only one user are working fine - we install a user > (username.P12) and root certificate (root.der) to a notebook running Windows > XP and everything works perfectly. However, we have some schools that have > class sets of notebooks used by many students. We don't want the hassle of > installing a new user certificate for EVERY CASUAL USER of a notebook. A > machine certificate makes much more sense! > > Somebody has suggested the addition of one extra OID to the PKCS#12 keybag > attributes. Just having this particular OID present is enough to get the > certificate working for machine authentication -- The OID was: > 1.3.6.1.4.1.311.17.2 From what I can tell, the presence of this OID tells > Windows XP that the cert is intended for use by the computer itself, and not > by an end-user. > > Can somebody please advise me on how to modify openSSL to include this extra > OID? Or could somebody send me a patch? Manually editing certificates is not > an option. >
Do you have any sample PKCS#12 files that include this OID? I'm assuming that some extra data is needed too. The way to add this is to do something similar to PKCS12_add_CSPName_asc() but using the correct NID and any necessary extra data. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]