[openssl-dev] Certificates generated using 3k/4k CSR generated with OpenSSL fails on Windows 2008R2

[Jayalakshmi bhat]

Hi All,

I am generating 1k/2k/3k/4k CSR's on our device using OpenSSL library. I am
generating these CSR on our device. We have windows 2008 R2 servers and I
am signing these CSR using certificate authority on windows server.  I am
 setting only client and server authentication bits in the CSR since these
are simple end entity certificates. Once certificates are generated , I am
 able to install the certificates on our device.

These certificates are working well with 802.1x (EAP-TLS) setup on the same
windows 2008 R2 server. However when I was trying to test IPsec with
certificate based authentication, authentication is failing.Enabling the
IPsec event viewer shows error in accepting the certificate and generates a
“invalid signature” message which looks to be generic. Failures are seen
only with 3k and 4k certificates.

Later I  refered to a link http://blog.gentilkiwi.com/tag/bag-attributes added
 -LMK -CSP "xxx" -name options, certificate worked well. I wanted to know
is any one having similar experience with 3k and 4k ID certificates that
does not have these fields on windows system.

Any help is appreciated.

Regards
Jayalakshmi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160808/e3709c03/attachment.html>