hi > When I open the Personal certificate and select Details tab->Edit properties I have > to select Enable only the following purposes and deselect all but Client > Authentication. Doing this Windows 2000 finds the certificate and EAP/TLS > authentication goes OK. But if I don't do this it says unable to find certificate.
interesting, so windows 2000 wants the certificate to be a pure Client Auth certificate? why not, it would still work for you, right? > I can't use the EKU described in Ken Roser's document because if I use it Windows > 2000 says that the certificate has a non-valid digital signature. Does the EKU work > only in XP? The detail tab shows only Client authentication as authentication method > on the Personal certificate as I need though. oups? perhaps i don't understand something, but in my case the Client Authentication IS mentioned under the Extended Key usage uncritical extension with the value of 1.3.6.1.5.5.7.3.2. i don't get about which client authentication you are talking otherwise. the only one i have is in the EKU. and: windows 2000 can't say it's not valid because of EKU, this extension is not critical, so it does not need to be there from the certification point of view. it's my understanding... > I tried editing the openssl.cnf file and setting nsCertType = client, server > (because it give this type to client and server certificate using the script). Then > I removed the extensions bits from CA.all and made the certificate. sorry, i don't know what nsCertType is, looks like netscape to me. and i don't use CA.all, i use the openssl commands, one after another. > The Personal certificate still shows all the possible usages for the certificate and > I have to pick the Client authentication to make it work. yes, the only usage i have is checked and this is client authentication. unfortunately it's part of the EKU. > Installing the two certificates is relatively easy. But if you have to start > MMC-->Add Snap-in-->Go to Personal certificate and enable only the client > authentication purpose it gets a lot more complicated. i think you can achieve the same result by just clicking on certificates. you chose the destination repository only for the root certificate. otherwise supply a .reg file, perhaps it will work in this way. > Any idea how to edit CA.all, OpenSSL.cnf, CA.pl or any other place to give the > client certificate purpose to only function as client certificate so Windows 2000 > would find it? hmm, i don't think you need any of those. i never edited openssl.cnf and i didn't use ca.all nor ca.pl. i didn't use windows 2000 neither :-) but it can't be that different. if you want i'll produce you two bogus certificates and you can test those on your 2000. ciao artur -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
