A quick note to help others in the future who are trying to use openssl to generate certificates for use with Windows 2000 L2TP/IPSec: I just spent several days trying to figure out why Windows 2000 IPSec refused to use certificates generated by openssl. After trying all sorts of (what seemed to me) obscure X509V3 extensions, the problem turned out to be simple. If a certificate's expiration date/time is after the CA's expiration date/time, Windows 2000 IPSec comes back with 'IKE failed to find valid machine certificate'. Needless to say, Microsoft provides almost no useful diagnostics.. if it doesn't work, you have to guess.. sigh. I don't know if it's a bug that openssl will set a user's certificate expiration after a CA's, but I'd suggest that at least a warning or something migh be helpful. If one of the openssl developers reads this then please consider that a feature request. Hopefully this message might save someone in the future from the hair tearing exercise I just went through... Richard Browne. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
