Venkata LK Mula escribió:
>
> Hi,
>
> With reference to the above mentioned subject, we have generated root,
> server and client certificates in .pfx (p12) and .der format in
> FreeRADIUS using OpenSSL, installed these certificates on the Windows
> XP client. And when I'm trying to associate the Windows clinet to the
> network. it is displaying the message "Windows was unable to find the
> certificate to log you on the network Roaming test2". Can any body
> lookinto the issue and suggest us with possible solutions for the same
> please.
>
> regards,
>
> Venkat
>
>
>
>
> ------------------------------------------------------------------------
>

If you are used freeradius utilities to issue certificates (make
ca.pem, make server.pem, make client.pem, bootstrap command etc) you
need to mark server certificate as CA:true or something like this,
because is the server the issuer of client certs (at least, into default
radius PKI). See and compare ca.cnf and server.cnf and you will see that
default configuration doesn't put issuing permissions into server
certificate, only into ca's. Because server hasn't got issuing
permission, windows are considering that certification route is
broken.You can see it into mozilla or ie.
If you don't want use server certificate to sign client certs, you
can issue them with ca.pem, changing only two options into the Makefile
file (client.pem rule), or you can put your own commands. I have this
configuration and it works perfectly, it's just a different PKI.
But, if your client certs are now signed by the root authority and
windows was unable to find it, i can't help you more
Also, be sure that server and client certs have the correct extensions
to work on XP. This extensions are KeyUsage and a list of numbers
separated by points. Above commands, in this case, add this extensions.
Hope this helps.
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org

I have had to add certs to two different places in Windows in order for
the them be found.

I added them using system32/certmgr -- but that is not enough. I have
found I also need to add them using the certificate control panel in
Internet Explorer. I use certs to sign documents in OpenOffice among
others. If you are finding that you cannot find certs you thought you
had added, try adding them in both of these places.

Lee

Sergio wrote:
> Venkata LK Mula escribió:
>>
>> Hi,
>>
>> With reference to the above mentioned subject, we have generated
>> root, server and client certificates in .pfx (p12) and .der format in
>> FreeRADIUS using OpenSSL, installed these certificates on the Windows
>> XP client. And when I'm trying to associate the Windows clinet to the
>> network. it is displaying the message "Windows was unable to find the
>> certificate to log you on the network Roaming test2". Can any body
>> lookinto the issue and suggest us with possible solutions for the
>> same please.
>>
>> regards,
>>
>> Venkat
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>
> If you are used freeradius utilities to issue certificates (make
> ca.pem, make server.pem, make client.pem, bootstrap command etc) you
> need to mark server certificate as CA:true or something like this,
> because is the server the issuer of client certs (at least, into
> default radius PKI). See and compare ca.cnf and server.cnf and you
> will see that default configuration doesn't put issuing permissions
> into server certificate, only into ca's. Because server hasn't got
> issuing permission, windows are considering that certification route
> is broken.You can see it into mozilla or ie.
> If you don't want use server certificate to sign client certs, you
> can issue them with ca.pem, changing only two options into the
> Makefile file (client.pem rule), or you can put your own commands. I
> have this configuration and it works perfectly, it's just a different
> PKI.
> But, if your client certs are now signed by the root authority and
> windows was unable to find it, i can't help you more
> Also, be sure that server and client certs have the correct extensions
> to work on XP. This extensions are KeyUsage and a list of numbers
> separated by points. Above commands, in this case, add this
> extensions. Hope this helps.
> __________________________________________________ ____________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majordomo@openssl.org
>

--
Leonard F. Elia III, CISSP 757.864.5009
Sr. System Administrator
ConITS - NASA Langley Research Center
NCI Information Systems, Inc., Hampton VA


__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org