Brian vb said: "Ca is in trusted root stores under "Current User", and client is in Personal under "Current User". One thing I see when viewing the certs is the Root has "Locker Systems" (using a random name to keep the identity of my company out of the certs) as the issuer and the client has SSLeay Demoserver.. looks like OpenSSL didn't make the certs right for some odd reason.. its like it used its own CA root or something else happened. I will recreate the certs but I'm quite sure I entered the same data in all certs except commonname which I made the same as the machine the cert will reside on. Root ca common name didn't match any machine name. Where should the CA be? Machine or User?"
First, when you create the server and client certificates you need to use the Microsoft attributes for Server and Client authentication. [ xpclient_ext] extendedKeyUsage = 1.3.6.1.5.5.7.3.2 [ xpserver_ext ] extendedKeyUsage = 1.3.6.1.5.5.7.3.1 I would suggest following the instructions here: http://www.linuxjournal.com/node/8095/print The howto is for setup of Freeradius on Linux, but it should be similar on Windows because it's the OpenSSL commands that matter when creating the certs. In order to find out if the certificate is correct, you can double click the certifcate in the Personal store and go to "Certification Path". You should see the certificate common name as well as the common name of your Root CA. If you don't something is wrong. You should also see "This certificate is OK" in the Certificate status box. If this isn't the case, either the certificate was signed by the wrong CA, or the Root CA wasn't properly loaded into the User "Trusted Root Certificate Authorities" store. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
