Daniel,
Please look in the CA.all script that comes with a recent snapshot of
freeradius. It is the recommended way to generate the certificates.
When using that "CA.all" script please note carefully the following:
- The "Common Name" attributes you are given as input must be
different ! Otherwise the certificate are not generated properly and/or
a VERY cryptic openssl error is printed, with the resulting
certificates not working properly.
When using the "CA.all" script you are promted for three CNs,
which are (in order) 1) The CN for your CA, (Certification Authority)
2) The client certificate and 3) The server certificate. Again, they
all must be different.
- The "user" that you put in the "raddb/users" file must match
the CN for the client. Please include the full name within quotes.
- On the client you must install the "root.der" certificate and
ACK that the this is a trusted CA. Also, you must add the
"cert-clt.p12" certificate. Please also note that the client
certificate must be in PKCS#12 format.
For detailed howto please see http://www.dslreports.com/forum/remark,9286052~mode=flat
For how to install the root and the client certificates and how to
acknowledge that the CA is trused please see "Section 10" of the
HOWTO at http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm
HTH,
Florian
Daniel Walther writes:
> Hello Florian,
> Hello List,
>
> Thanks for your fast answer. I think that there is a bug in the certificates
> too. But I can't see any error.
> I use the attached scripts for the certificates generation.
> Is there any error?
>
> Thanks in advance for your help
>
> Regards
> Daniel
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
