For the sake of posterity (e.g future searches on this topic). The
stanza that Ivan replace in the MAKEFILE used to create working
client.p12 files under Windows XP SP3 are:
client.csr client.key: client.cnf
openssl req -new -out client.csr -keyout client.key -config
./client.cnf
client.crt: client.csr ca.pem ca.key index.txt serial
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr
-key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile
xpextensions -config ./client.cnf
client.p12: client.crt
openssl pkcs12 -export -in client.crt -inkey client.key -out
client.p12 -passin pass:$(PASSWORD_CLIENT) -passout
pass:$(PASSWORD_CLIENT)
client.pem: client.p12
openssl pkcs12 -in client.p12 -out client.pem -passin
pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
cp client.pem $(USER_NAME).pem
.PHONY: server.vrfy
client.vrfy: ca.pem client.pem
c_rehash .
openssl verify -CApath . client.pem
>
> The makefile you sent me allowd me to generate a correct client.p12
> which cleared up the error reported by windows. Thanks very much. So
> it looks like windows may prefer personal certs signed by the CA
> rather than the server? I can sucessfully use the client cert with the
> "Smart Card or other Certificate" options on Windows XP/SP3 (which
> uses EAP-TLS I believe).
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
