Unfortunately you didn't get rid of me yet. The problem doesn't relate anymore to Freeradius that much but to Certificate installation.
When I open the Personal certificate and select Details tab->Edit properties I have to select Enable only the following purposes and deselect all but Client Authentication. Doing this Windows 2000 finds the certificate and EAP/TLS authentication goes OK. But if I don't do this it says unable to find certificate. I can't use the EKU described in Ken Roser's document because if I use it Windows 2000 says that the certificate has a non-valid digital signature. Does the EKU work only in XP? The detail tab shows only Client authentication as authentication method on the Personal certificate as I need though. I tried editing the openssl.cnf file and setting nsCertType = client, server (because it give this type to client and server certificate using the script). Then I removed the extensions bits from CA.all and made the certificate. The Personal certificate still shows all the possible usages for the certificate and I have to pick the Client authentication to make it work. The problem here is that we currently don't have a Certificate server installed to distribute the certificates so I would like to make the distribution as easy as possible. Installing the two certificates is relatively easy. But if you have to start MMC-->Add Snap-in-->Go to Personal certificate and enable only the client authentication purpose it gets a lot more complicated. Any idea how to edit CA.all, OpenSSL.cnf, CA.pl or any other place to give the client certificate purpose to only function as client certificate so Windows 2000 would find it? Best regards and thank you for any help in advance: Antti Mattila -- [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
