Setting up Freeradius - Not getting client prompt for Cert acceptance [RESOVLED]
-
Setting up Freeradius for EAP-PEAP and believe I have everything setup and ready to go. The problem is that when I have a client attempt to connect, I never see the prompt for the server cert I created in the pfsense cert manager.
Have tried on two separate Win7 clients. Not sure where to go from here.
rad_recv: Access-Request packet from host 192.168.0.101 port 1071, id=119, length=224 User-Name = "chris" Acct-Session-Id = "6896F9E0-0027105150F4-0000000950" Calling-Station-Id = "00-27-10-51-50-F4" Called-Station-Id = "00-23-68-95-2C-42:NULL-T" Symbol-Current-ESSID = "NULL-T" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 Service-Type = Framed-User NAS-IP-Address = 192.168.0.101 NAS-Identifier = "7131-DRm" NAS-Port-Id = "radio2" Connect-Info = "CONNECT 300Mbps 802.11an" EAP-Message = 0x0201000a016368726973 Message-Authenticator = 0xec13edf1bb0cbebf4d17ceb0b0cd1b8e # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "chris", skipping NULL due to config. ++[suffix] returns noop [ntdomain] No '\' in User-Name = "chris", skipping NULL due to config. ++[ntdomain] returns noop [eap] EAP packet type response id 1 length 10 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry chris at line 2 ++[files] returns ok rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[daily] returns noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[weekly] returns noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[monthly] returns noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[forever] returns noop rlm_checkval: Item Name: Calling-Station-Id, Value: 00-27-10-51-50-F4 rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing MD5-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 119 to 192.168.0.101 port 1071 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x049e6912049c7011beb991aee0a3b1c2 Finished request 30. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.101 port 1071, id=120, length=337 User-Name = "chris" Acct-Session-Id = "6896F9E0-0027105150F4-0000000950" Calling-Station-Id = "00-27-10-51-50-F4" Called-Station-Id = "00-23-68-95-2C-42:NULL-T" Symbol-Current-ESSID = "NULL-T" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 Service-Type = Framed-User NAS-IP-Address = 192.168.0.101 NAS-Identifier = "7131-DRm" NAS-Port-Id = "radio2" Connect-Info = "CONNECT 300Mbps 802.11an" State = 0x049e6912049c7011beb991aee0a3b1c2 EAP-Message = 0x0202006919800000005f160301005a010000560301515cd999803d50ec34314f837e3ca5a084ded764701a3ca7abf7fa16edaf277b000018002f00350005000ac013c014c009c00a003200380013000401000015ff01000100000a0006000400170018000b00020100 Message-Authenticator = 0x30375bd20ca2e7ae301002aab17c6913 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "chris", skipping NULL due to config. ++[suffix] returns noop [ntdomain] No '\' in User-Name = "chris", skipping NULL due to config. ++[ntdomain] returns noop [eap] EAP packet type response id 2 length 105 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 95 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 005a], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 097e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 120 to 192.168.0.101 port 1071 EAP-Message = 0x0103040019c0000009c216030100310200002d0301515cd998ffb57c469c3a29b30496288244578726bf4dbf35a3d9ef70bf27316600002f000005ff01000100160301097e0b00097a0009770004f1308204ed308203d5a003020102020102300d06092a864886f70d010105050030818a310b30090603550406130255533110300e0603550408130747656f72676961310f300d0603550407130643616e746f6e311b3019060355040a13124d6f746f726f6c6120536f6c7574696f6e733125302306092a864886f70d0109011616686f6f707966726f6f64343240676d61696c2e636f6d311430120603550403130b696e7465726e616c2d6361301e EAP-Message = 0x170d3133303430343031303135365a170d3233303430323031303135365a308192310b30090603550406130255533110300e0603550408130747656f72676961310f300d0603550407130643616e746f6e311b3019060355040a13124d6f746f726f6c6120536f6c7574696f6e733125302306092a864886f70d0109011616686f6f707966726f6f64343240676d61696c2e636f6d311c301a060355040313137261646975732e636b656c6c792e6c6f63616c30820122300d06092a864886f70d01010105000382010f003082010a0282010100c4139a9bec7714fd669a7d6be2f88d7533f80727d0ecc14226b74354750415c67c7b9f98446b51bd23 EAP-Message = 0x1ffe5ebd1ec5aed27224c8aa0d078e431e74f55beee85fde0195c083c66ddc917164f156b201e46004c592e51c3e0693f847f8ff4675e34ab16909a2680216f55b4e99501bddb5b1c32ec0b4ce84589fde697581c3b5912a4b4b1a659aa37e8c83e241a8df17814be4db87fb1b7e0d30475176b4d898116208e3abbe5a7bba503f5cec9a6b14295b2edc6ed2ea545cfbf8285602d7a39f05d69d04e4e9ede331c052a3fd0b6575999623064e3b4a61dd53b52f4e27ffcbcc056be478e0addc0a83a5cfe12283863e37ccfa85d29747e0840655f89794290203010001a38201523082014e30090603551d1304023000301106096086480186f842010104 EAP-Message = 0x0403020640303306096086480186f842010d042616244f70656e53534c2047656e65726174656420536572766572204365727469666963617465301d0603551d0e04160414c40e05c372c7367fc05ec3b7637c88a74cb122813081b70603551d230481af3081ac80140ffb11356c6450890b4abe34d471c347b066369da18190a4818d30818a310b30090603550406130255533110300e0603550408130747656f72676961310f300d0603550407130643616e746f6e311b3019060355040a13124d6f746f726f6c6120536f6c7574696f6e733125302306092a864886f70d0109011616686f6f707966726f6f64343240676d61696c2e636f6d311430 EAP-Message = 0x120603550403130b696e7465 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x049e6912059d7011beb991aee0a3b1c2 Finished request 31. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.101 port 1071, id=121, length=238 User-Name = "chris" Acct-Session-Id = "6896F9E0-0027105150F4-0000000950" Calling-Station-Id = "00-27-10-51-50-F4" Called-Station-Id = "00-23-68-95-2C-42:NULL-T" Symbol-Current-ESSID = "NULL-T" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 Service-Type = Framed-User NAS-IP-Address = 192.168.0.101 NAS-Identifier = "7131-DRm" NAS-Port-Id = "radio2" Connect-Info = "CONNECT 300Mbps 802.11an" State = 0x049e6912059d7011beb991aee0a3b1c2 EAP-Message = 0x020300061900 Message-Authenticator = 0x69f5705b94d25d326a384f8cf51bb08b # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "chris", skipping NULL due to config. ++[suffix] returns noop [ntdomain] No '\' in User-Name = "chris", skipping NULL due to config. ++[ntdomain] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 121 to 192.168.0.101 port 1071 EAP-Message = 0x010403fc1940726e616c2d636182010030130603551d25040c300a06082b06010505070301300b0603551d0f0404030205a0300d06092a864886f70d01010505000382010100263fadbadbe85dc29621ee1dc252de4124152a96a0a245481f7f53dd9d88759bd2d145cb0a9ffa53afe0b6dd2e55a504f821f0c85a1e38fdac567f95913f17473b8c93430e673194409a522acb6037f829686ae264653ee9b174151c60d5483f23d0545c5d00c067b20ae717049c940d10c6c5700b66457c175c66d87f8489c4781fa2d21cbc9126e724396c37835a354a5d1c1d1714d0783d0c9988c8bea3775c1c0d0c708517cf21239ee958488cbad9304f1946e2b4 EAP-Message = 0xac20314f9daa1886266946fd8bebdcf6151f91da71f7f8ff1da25d7c1be1c6a25122b168631390aa8f86040fd7f2f824e6cfed20bb0c91f3a88fb1e204678be24edd2e1eec1dc135ef0004803082047c30820364a003020102020100300d06092a864886f70d010105050030818a310b30090603550406130255533110300e0603550408130747656f72676961310f300d0603550407130643616e746f6e311b3019060355040a13124d6f746f726f6c6120536f6c7574696f6e733125302306092a864886f70d0109011616686f6f707966726f6f64343240676d61696c2e636f6d311430120603550403130b696e7465726e616c2d6361301e170d31 EAP-Message = 0x33303430343030353833385a170d3233303430323030353833385a30818a310b30090603550406130255533110300e0603550408130747656f72676961310f300d0603550407130643616e746f6e311b3019060355040a13124d6f746f726f6c6120536f6c7574696f6e733125302306092a864886f70d0109011616686f6f707966726f6f64343240676d61696c2e636f6d311430120603550403130b696e7465726e616c2d636130820122300d06092a864886f70d01010105000382010f003082010a0282010100a6411b08e5017a5b84564912b8b59327f7c24a30f816a915b0af31c48564b6024058e0599324c7162df9bd3593e562d91c9cab3e EAP-Message = 0x790713244ad3493e809c5bb1794a547f1683b692bec74d8bc2fb7d7bdeafc832d0f8020175491d33c66b9e977cec8f7899b5b2791d3d19c0324ef3ea7dada2c524949de71959a9711ab62941e12d47561b90af29f3832f00d3dc5447cde009b051160bea1a1ca32fa6a0512f86dd2a29620c871f47a43565f7046490f69697ecad39152dd19f45a4f98cee64b5e80b39913d9cb9cd55294ef979ce699ad039db1de7a474699e4b998a5c4315c924f0ac98b21838a881a32b1fad6a0b32a2e1eac0b49b4aa2dc9d1f22efac570203010001a381ea3081e7301d0603551d0e041604140ffb11356c6450890b4abe34d471c347b066369d3081b70603551d EAP-Message = 0x230481af3081ac80 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x049e6912069a7011beb991aee0a3b1c2 Finished request 32. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.101 port 1071, id=122, length=238 User-Name = "chris" Acct-Session-Id = "6896F9E0-0027105150F4-0000000950" Calling-Station-Id = "00-27-10-51-50-F4" Called-Station-Id = "00-23-68-95-2C-42:NULL-T" Symbol-Current-ESSID = "NULL-T" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 Service-Type = Framed-User NAS-IP-Address = 192.168.0.101 NAS-Identifier = "7131-DRm" NAS-Port-Id = "radio2" Connect-Info = "CONNECT 300Mbps 802.11an" State = 0x049e6912069a7011beb991aee0a3b1c2 EAP-Message = 0x020400061900 Message-Authenticator = 0x1d3fd076d700c45bfbbbd5acdf9171c1 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "chris", skipping NULL due to config. ++[suffix] returns noop [ntdomain] No '\' in User-Name = "chris", skipping NULL due to config. ++[ntdomain] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 122 to 192.168.0.101 port 1071 EAP-Message = 0x010501dc1900140ffb11356c6450890b4abe34d471c347b066369da18190a4818d30818a310b30090603550406130255533110300e0603550408130747656f72676961310f300d0603550407130643616e746f6e311b3019060355040a13124d6f746f726f6c6120536f6c7574696f6e733125302306092a864886f70d0109011616686f6f707966726f6f64343240676d61696c2e636f6d311430120603550403130b696e7465726e616c2d6361820100300c0603551d13040530030101ff300d06092a864886f70d010105050003820101005f71185515fedac98bf24b8843970db4f5a2aaa722c1189fb2074e238fdb87b3c516e7b0aeef4b5fcd9c EAP-Message = 0x5f01fb8b70a32589336685f9fa23ae42d2e7c620f8c1a6cc05b709fb8a5b87b841b1c3390529db1c2b3d3d8d1add0b48ae16f5c60c1245487096b531172114692c176338aa97a871479000defbc5caf42821d93c1fb7dea1a69e2851aab6a9fe73a5a1dfdce1ec55a0555576f6b03eba2dd3e2f28ddf87e9cb13bb692fb784b3e5e22befdfedc164c93d4d89098272cb0a7740c9cf7e1bd676fb0059b82fd33a3661055a1ccf7f70ea0a9c39aadb6a9214b838e4dacefaabab7a70e643ea1acdfea09f7942cf34c3ddc0d386290f5643dbacce0f05a216030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x049e6912079b7011beb991aee0a3b1c2 Finished request 33. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.0.101 port 1071, id=123, length=249 User-Name = "chris" Acct-Session-Id = "6896F9E0-0027105150F4-0000000950" Calling-Station-Id = "00-27-10-51-50-F4" Called-Station-Id = "00-23-68-95-2C-42:NULL-T" Symbol-Current-ESSID = "NULL-T" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 Service-Type = Framed-User NAS-IP-Address = 192.168.0.101 NAS-Identifier = "7131-DRm" NAS-Port-Id = "radio2" Connect-Info = "CONNECT 300Mbps 802.11an" State = 0x049e6912079b7011beb991aee0a3b1c2 EAP-Message = 0x0205001119800000000715030100020230 Message-Authenticator = 0x0c8648b9543098dcc1f4cdd8f0d13113 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "chris", skipping NULL due to config. ++[suffix] returns noop [ntdomain] No '\' in User-Name = "chris", skipping NULL due to config. ++[ntdomain] returns noop [eap] EAP packet type response id 5 length 17 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 7 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation [peap] eaptls_process returned 4 [peap] EAPTLS_OTHERS [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. expand: -> Login incorrect (TLS Alert read:fatal:unknown CA): [chris/<via auth-type="EAP">] (from client testAP port 1 cli 00-27-10-51-50-F4) Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> chris attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 34 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 34 Sending Access-Reject of id 123 to 192.168.0.101 port 1071 EAP-Message = 0x04050004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.7 seconds. Cleaning up request 30 ID 119 with timestamp +998 Cleaning up request 31 ID 120 with timestamp +998 Cleaning up request 32 ID 121 with timestamp +998 Cleaning up request 33 ID 122 with timestamp +998 Waking up in 1.2 seconds. Cleaning up request 34 ID 123 with timestamp +999 Ready to process requests.</via>
-
You have to create the CA and server cert on pfsense "Cert Manager" or you import it from somewhere else.
After that go to:
services –> freeradius --> EAP
Select "CHose pfsense Cert Manager"
empty the privat key password - you do not need any
select your CA
select your SERVER cert
click saveSometimes it could help to click a second time "Save".
On Windows you must make sure that the client has enabled to verify the CA. This is not always the case and can be disabled.
Take a look here. It shows you the "validate server certificate"
http://i.technet.microsoft.com/dynimg/IC120658.gifhttp://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#PEAP_and_MSCHAPv2
-
That's pretty much how I have it set up. The only difference was that I had set a Private Key password in the Certificates for TLS section in the EAP tab. Tried saving a couple extra times too.
No difference in the behavior though. -
You can try to go to
/usr/local/etc/raddb/certs/
and delete the certificates there.
After that go back to the GUI, select your CA and server cert and click save and make sure it places the certificates in the path I postet above.
If it does then it should be ok.With the GUI tab "View config" you can check eap.conf if it points to the correct certificates.
Did you disable the WEAP EAP types ? If you disabled them then please try to enable them and try again.
From googleing:
Are you using an intermediate certificate ? -
Before I actually delete anything in the certs, directory, are you saying that I should delete all the files or just certain ones?
I have already disabled the weak EAP types. Once I get an answer for the above, I'll try with and w/o again.
Regarding the Intermediate cert, don't think I am since I didn't do anything to set this up. Just trying to setup a self-signed cert at this point…and from what I've been reading, I probably don't even want to use a root CA cert, for security reasons. If you feel like responding this this subject, would love to hear your thoughts. ;D[EDIT]
In Cert Manager->Certificates, I deleted the existing CA and server certs I had previously created and then regenerated them.
Looking the /certs dir, I do see new instances of (ca_cert.pem, ca_key.pem, server_cert.pem, and server_key.pem).
Also enabled the weak EAP option.Still not being prompted to accepted cert though.
Regarding the Intermediate cert: I'm assuming that I use the 'Create an Internal CA' option. I did NOT use the Intermediate option.
[EDIT-2]
Found the culprit.
Apparently, I needed to have the User 'Password Encryption' set to Cleartext, instead of MD5. -
Yes of course. User password encryption must be cleartext. I didn't thought on this fact. ::)
The encryption on "Users" encrypts just the password in the users file. But if you do so then the authentication module must be able to decode this one. I am not to familar with that but as far as I know this works with PAP. -
So it looks like I'm 99% there.
If I configure the client to validate the server cert but do not specify any certs in the trusted root CA list, I get the 'Credentials provided by the server couldn't be validated' warning, and can choose to accept and connect…and it works.
But, next I:
Export the ca.crt from pfsense (Cert Manager->Certificates) and then import it into the Win7 client (added to both the Personal and root CA stores)
Reconfigure the client to Validate the server cert that I imported, that is now listed in the list trusted root CAs
Upon trying to connect, I enter my login info and then I get the message that I'm unable to connect.Looking at the CLI logs, I once again see messages:
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert read:fatal:unknown CA
TLS_accept: failed in SSLv3 read client certificate ASeems like the client supplicant isn't making use of the ca cert I imported.
I've tried deleting the cert on the client (using mmc) and re-importing the ca cert again. No luck.[EDIT] Fixed it.
Apparently I have a lot to learn about certs.
I needed to export the CA cert that is listed under the "CAs" tab in the Cert Manager.
What I had done was to export the cert that I thought was the CA cert that I created and was listed under the "certificates" tab.
Still don't know the how/why this fixed it, but I'd really like to understand this better! ;D -
The client certificate and client key is for the clients only.
The server certificate and key is for the server only.The CA certificate can be used by anyone but never never give the CA key to someone else or this person is able to create unlimited certificates based on this CA.
The validation for the CA certificate is more a thing for the user on the client. If a client connects to a server which CA is called "My littly bunnies" but you want to connect to a server called "My Company" then the user should carfefule and make sure if he really wants to connect to the "wrong" server.
On the server site the server checks the client certificate against the CA and with the CA key it is possible to verify if this client certificate is really created from that CA or from another.
I am no CA/certificate expert but I hope this could help you a little bit. So to make it short:
If you give something to a client then just:-
CA.cert (not CA.key)
-
Client.cert
-
Client.key
These things could come together in a .p12 file or in single files. It could be .crt, .pem, .der which is mostle the same but different formats for different systems.
-
-
Thanks, Nachtfalke!
I've got everything working at this point….finally. ;D
Your explanations of different files helps too! Much appreciated!