Re: certificates in FR 2.0.1 on windows doesnt works
And that is good. Windows doesn't need to know who issued that certificate, only radius server does. Ivan Kalik Kalik Informatika ISP Dana 25/1/2008, orion [EMAIL PROTECTED] piše: its not a problem that windows says about the client certificate : the issuer of this certificate cannot be found ? can the certificate be used in this case ? On 25/01/2008, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: 2)or only ca certificate + client certificate ? the second case the linkage between the ca and client doesnt exist ( as you said is the server the issuer of the client`s certificate ). Link is not needed. Server checks the client certificate to see if it's issued by the server (certificate). Client checks server certificate to see if it's issued by a *known and trusted CA. Nothing checks client certificate against the CA. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: certificates in FR 2.0.1 on windows doesnt works
2)or only ca certificate + client certificate ? the second case the linkage between the ca and client doesnt exist ( as you said is the server the issuer of the client`s certificate ). Link is not needed. Server checks the client certificate to see if it's issued by the server (certificate). Client checks server certificate to see if it's issued by a *known and trusted CA. Nothing checks client certificate against the CA. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: certificates in FR 2.0.1 on windows doesnt works
orion wrote: the import of client.p12 is ok but it doesnt have a valid link it is ca-server-client What does that mean? and the details of the server certificate tells that is not authorized to issue certificates . Where does it say that? Which certificate tool are you using to look at the certificates? the client certificates tells that is issued by the server not by the ca. Yes, that is supposed to happen. the question is : the client certificate should be issued by the server or by the ca? Server. in fact after modified the Makefile and client.cnf and re-importing them in xp then the linkage is ok. ( ca-client ) That's not how it's supposed to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: certificates in FR 2.0.1 on windows doesnt works
im using standart windows mmc. after import of the CA and Server certificates the server certificate links to the ca certificate ok CA certificate |- server certificate but when i import the client.p12 certificate the linkage is CA certificate |- server certificate |- client certificate in that moment the server part tells ( it not allow to issue certificate for others). So the server certifiace is not allowed to issue certificate ( in this case to issue the certificate for the server. ). 1)Its necessary to import the server certificate + ca certificate + client certificate ? 2)or only ca certificate + client certificate ? the second case the linkage between the ca and client doesnt exist ( as you said is the server the issuer of the client`s certificate ). On 25/01/2008, Alan DeKok [EMAIL PROTECTED] wrote: orion wrote: the import of client.p12 is ok but it doesnt have a valid link it is ca-server-client What does that mean? and the details of the server certificate tells that is not authorized to issue certificates . Where does it say that? Which certificate tool are you using to look at the certificates? the client certificates tells that is issued by the server not by the ca. Yes, that is supposed to happen. the question is : the client certificate should be issued by the server or by the ca? Server. in fact after modified the Makefile and client.cnf and re-importing them in xp then the linkage is ok. ( ca-client ) That's not how it's supposed to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: certificates in FR 2.0.1 on windows doesnt works
its not a problem that windows says about the client certificate : the issuer of this certificate cannot be found ? can the certificate be used in this case ? On 25/01/2008, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: 2)or only ca certificate + client certificate ? the second case the linkage between the ca and client doesnt exist ( as you said is the server the issuer of the client`s certificate ). Link is not needed. Server checks the client certificate to see if it's issued by the server (certificate). Client checks server certificate to see if it's issued by a *known and trusted CA. Nothing checks client certificate against the CA. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: certificates in FR 2.0.1 on windows doesnt works
orion wrote: but when i import the client.p12 certificate the linkage is CA certificate |- server certificate |- client certificate in that moment the server part tells ( it not allow to issue certificate for others). There's no reason why the intermediate certificate can't issue a client certificate. And yes, you already said it complained about that. There's no reason to re-post a summary of that message. You were asked to post *specific* information. So the server certifiace is not allowed to issue certificate ( in this case to issue the certificate for the server. ). Nonsense. 1)Its necessary to import the server certificate + ca certificate + client certificate ? 2)or only ca certificate + client certificate ? the second case the linkage between the ca and client doesnt exist ( as you said is the server the issuer of the client`s certificate ). A direct linkage doesn't exist, and doesn't need to exist. Windows has *zero* problems using such a client certificate for EAP-TLS. If you see an error message, then either the software you're using is broken, or you didn't understand the message it's producing. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: certificates in FR 2.0.1 on windows doesnt works
orion wrote: its not a problem that windows says about the client certificate : the issuer of this certificate cannot be found ? Thank you for FINALLY posting the REAL error message. It helps to post the REAL error message, because you can then get a REAL solution. In this case, you didn't add the server certificate (or the CA certificate) into the root CA store. All of the documentation and howto's say you need to do this, so Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
certificates in FR 2.0.1 on windows doesnt works
hi to all. created the certificates with the default config files in FR 2.0.1 with ./bootstrap created the client certificate with make client the import of the ca.pem and server.crt in winxp is OK. they link with each-other ok ( ca-server ) the import of client.p12 is ok but it doesnt have a valid link it is ca-server-client and the details of the server certificate tells that is not authorized to issue certificates . the client certificates tells that is issued by the server not by the ca. the question is : the client certificate should be issued by the server or by the ca? if its to be issued by the ca then the Makefile in cert dirs have to be modified. in fact after modified the Makefile and client.cnf and re-importing them in xp then the linkage is ok. ( ca-client ) is this a prob ? or what ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
