Thank you all for all the answers. The problem is that Cisco prescribes the attributes. https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/212214-Tech-Note-on-CAPF-Certificate-Signed-by.html CAPF CSR: Attributes: Requested Extensions: X509v3 Extended Key Usage: TLS Web Server Authentication, IPSec End System X509v3 Key Usage: Digital Signature, Certificate Sign Unfortunately, the Cisco CUCM telephone systems do not seem to accept certificates without these attributes :-(. If I understand everything correctly, would the only (and unclean) workaround be adding "TLS Web Client Authentication" to solve my problem? Robert -----Ursprüngliche Nachricht----- Von: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] Im Auftrag von Salz, Rich via openssl-users Gesendet: Montag, 22. Januar 2018 00:39 An: openssl-users@xxxxxxxxxxx Betreff: Re: TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed ➢ The sensible thing at this point is to publish an update to RFC5280 that accepts reality. Yes, and there’s an IETF place to do that if anyone is interested; see the LAMPS working group. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users