Re: Certificate problem on Windows XP client...

[Kyle Hamilton]

Under most circumstances, roots certificates must be installed in the
Machine Root store, not in the User Root store.  If you are looking to
authenticate to a wireless network, you may need to install the
certificate (and associated private key) to the Machine Certificates,
not the User Certificates.  You can access this by running MMC.exe,
select File > Add Ins..., click Add, select Certificate Manager,
select the store you want to interact with, hit OK, and then select
Add, Certificate Manager, and then the others, all in-turn.  Once you
are done hit OK, and you should see all of your Certificate Manager
instances in the left of the window.

I hope this helps,

-Kyle H

On Mon, Aug 25, 2008 at 12:10 PM, Leonard F. Elia
<[EMAIL PROTECTED]> wrote:
> I have had to add certs to two different places in Windows in order for the
> them be found.
>
> I added them using system32/certmgr -- but that is not enough.  I have found
> I also need to add them using the certificate control panel in Internet
> Explorer.  I use certs to sign documents in OpenOffice among others.  If you
> are finding that you cannot find certs you thought you had added, try adding
> them in both of these places.
>
> Lee
>
> Sergio wrote:
>>
>> Venkata LK Mula escribió:
>>>
>>> Hi,
>>>
>>> With reference to the above mentioned subject, we have generated root,
>>> server and client certificates in .pfx (p12) and .der format in FreeRADIUS
>>> using OpenSSL, installed these certificates on the Windows XP client. And
>>> when I'm trying to associate the Windows clinet to the network. it is
>>> displaying the message "Windows was unable to find the certificate to log
>>> you on the network Roaming test2". Can any body lookinto the issue and
>>> suggest us with possible solutions for the same please.
>>>
>>> regards,
>>>
>>> Venkat
>>>
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>
>>   If you are used freeradius utilities to issue certificates (make ca.pem,
>> make server.pem, make client.pem, bootstrap command etc) you need to mark
>> server certificate as CA:true or something like this, because is the server
>> the issuer of client certs (at least, into default radius PKI). See and
>> compare ca.cnf and server.cnf and you will see that default configuration
>> doesn't put issuing permissions into server certificate, only into ca's.
>> Because server hasn't got issuing permission, windows are considering that
>> certification route is broken.You can see it into mozilla or ie.
>>    If you don't want use server certificate to sign client certs, you can
>> issue them with ca.pem, changing only two options into the Makefile file
>> (client.pem rule), or you can put your own commands. I have this
>> configuration and it works perfectly, it's just a different PKI.
>> But, if your client certs are now signed by the root authority and windows
>> was unable to find it, i can't help you more :)
>> Also, be sure that server and client certs have the correct extensions to
>> work on XP. This extensions are KeyUsage and a list of numbers separated by
>> points. Above commands, in this case, add this extensions. Hope this helps.
>> ______________________________________________________________________
>> OpenSSL Project                                 http://www.openssl.org
>> User Support Mailing List                    openssl-users@openssl.org
>> Automated List Manager                           [EMAIL PROTECTED]
>>
>
> --
> Leonard F. Elia III, CISSP     757.864.5009
> Sr. System Administrator
> ConITS - NASA Langley Research Center
> NCI Information Systems, Inc., Hampton VA
>
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-users@openssl.org
> Automated List Manager                           [EMAIL PROTECTED]
>
:��I"Ϯ��r�m����
(����Z+�K�+����1���x��h����[�z�(����Z+���f�y�������f���h��)z{,���