CA Chain

Reimer Karlsen-Masur, DFN-CERT karlsen-masur at dfn-cert.de
Wed Jan 24 10:40:36 CET 2007


Jeffrey Sewell wrote:
> Than you.
> 
> So if I understand this correctly, radiusd is not looking for a
> directory with checksum'd certificates, just one file with all the
> certficates in it?

Both is possible.

CA_path = ${raddbdir}/certs/trustedCAs/

with c_rehash generated fingerprint symlinks for a directory of trusted CA
certificates for EAP-TLS (with client authentication by client certificates).

Or

CA_file = ${raddbdir}/certs/trustedCAs.pem

a file with possibly multiple PEM formatted CA certificates for EAP-TLS
(with client authentication by client certificates).

My point was that the chain of the radius-server-certificate is actually to
be *added* to the file with the radius-server-certificate itself.

And that if you want to do plain EAP- *T* TLS and only EAP-TTLS to be
carefull to leave CA_file and CA_path nulled/empty.

I remember that the inline documentation of the eap.conf file suggests to
put the CA certificate issuing the radius-servers server-certificate into
the CA_file which could open up unwanted EAP-TLS client authentication by
client certificates if this CA issued client certificates.

If you configure radiusd to do EAP-TLS also make sure to use the check_crl =
yes option and have up-to-date CRLs available in the CA_path. Make sure
c_rehash is building the fingerprint symlinks here as well.

To automatically freshen/download CRLs by e.g. cron there is a neat script
with some build-in CRL checking etc available at
http://dist.eugridpma.info/distribution/util/fetch-crl/

HTH

-- 
Kind Regards

Reimer Karlsen-Masur
--
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), DFN-CERT Services GmbH
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737

14. DFN-CERT Workshop und Tutorien, CCH Hamburg, 7.-8. Februar 2007
Infos/Anmeldung unter: https://www.dfn-cert.de/events/ws/2007/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7125 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070124/5e76bd25/attachment.bin>


More information about the Freeradius-Users mailing list