id-kp-eapOverLAN extended key usage


At the university of York, we obtain our Comodo SSL certs through UKERNA, the governing body of the UK academic network. I recently obtained one for an ARUBA CLEARPASS server for use in RADIUS authentication. Having installed the certificate with the appropriate intermediate and root CAs I get the following error message:-

There are errors with the server certificate configuration that will prevent devices from provisioning or authenticating: ClearPass RADIUS server certificate lacks id-kp-eapOverLAN extended key usage. This will prevent Windows 8.1 clients from authenticating.

The support staff at UKERNA haven’t been able to help with this and suggested I contact Comodo. Do I have to do something in the openssl config file before generating my CSR in order to get the above extended key? Should it be there by default?


We presently do not support the EKU that you’re looking for.

Furthermore, according to Microsoft [ Connections to Organization Networks with Multiple RADIUS Servers | Microsoft Learn ], you should use a private CA:

You must deploy a private CA rather than obtain server certificates from a third party public CA. In addition, the certificate template that you use to issue the certificates must contain the RADIUS EKU extension. This extension is id-kp-eapOverLAN and the object identifier (OID) for this EKU is This EKU extension can only be configured on a private CA and is used by Windows 8 to determine whether a private CA issued the certificate.

do you still dont support: id-kp-eapOverLAN EKU?