On Wed, 22 Sep 2004, Lara Adianto wrote: > I followed the instructions in the following howto on the net: > http://www.freeradius.org/doc/EAPTLS.pdf
I found the certificate creation part of that howto to be sort of confusing. I think the key thing is that the certificates are normal other than wanting the extension for the OID. > CA cert: > ********* The CA cert looks OK to me. FWIW, I'd kick up the days on the lifetime. When the CA cert expires, all the other certs you've signed break too. > Client cert: > ************* > /usr/local/openssl/bin/openssl req -new -keyout newreq.pem -out newreq.pem -days 730 > -passin pass:whatever -passout pass:whatever > /usr/local/openssl/bin/openssl ca -policy policy_anything -out newcert.pem -passin > pass:whatever -key whatever -extensions xpclient_ext -extfile xpextensions -infiles > newreq.pem > /usr/local/openssl/bin/openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out > cert-clt.p12 -clcerts -passin pass:whatever -passout pass:whatever I'm not clear what he was trying to accomplish with the manipulations after this. What I've done is use the pkcs12 file created at this point to install the cert on the Windows machine and that has worked for me. I'd say try copying cert-clt.p12 to your Windows system and use the MMC Certificate snap-in to load it. > Btw, when I installed the ca, it said that windows can't verify the > integrity of the ca bec test.adianto.com can't be contacted. I chose to > install the cert anyway, and the status is ok. So, prob that is not the > source of the problem. I think that is normal. Joe Matuscak Rohrer Corporation 717 Seville Road Wadsworth, Ohio 44281 (330)335-1541 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
