Hi All, I am generating 1k/2k/3k/4k CSR's on our device using OpenSSL library. I am generating these CSR on our device. We have windows 2008 R2 servers and I am signing these CSR using certificate authority on windows server. I am setting only client and server authentication bits in the CSR since these are simple end entity certificates. Once certificates are generated , I am able to install the certificates on our device. These certificates are working well with 802.1x (EAP-TLS) setup on the same windows 2008 R2 server. However when I was trying to test IPsec with certificate based authentication, authentication is failing.Enabling the IPsec event viewer shows error in accepting the certificate and generates a ?invalid signature? message which looks to be generic. Failures are seen only with 3k and 4k certificates. Later I refered to a link http://blog.gentilkiwi.com/tag/bag-attributes added -LMK -CSP "xxx" -name options, certificate worked well. I wanted to know is any one having similar experience with 3k and 4k ID certificates that does not have these fields on windows system. Any help is appreciated. Regards Jayalakshmi -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160810/f755039f/attachment.html>