cert bootstrap bug? (was Re: definitely, I have a problem with eap-tls)
William Hegardt
whegardt at gmail.com
Tue Aug 19 17:41:20 CEST 2008
I hate to resurrect this long thread from July 22-28, but I have the
same problem and never saw a resolution.
I'm using FreeRadius 2.0.5 on CentOS 5.2 with wpa_supplicant 0.6.4
(latest to date).
I'm using the bootstrap script to generate example certificates.
I also created a client certificate using make client.pem. I configured
wpa_supplicant with ca.pem, client.pem and client.key.
EAP-TLS authentication fails with the "fatal unknown ca" message.
If I hack the Makefile like Sergio mentioned last month to sign the
client certificate with
the CA key, then authentication succeeds.
In last month's thread, Alan DeKok posted:
> You need to follow the documentation in eap.conf.
>
> # If CA_file (below) is not used, then the
> # certificate_file below MUST include not
> # only the server certificate, but ALSO all
> # of the CA certificates used to sign the
> # server certificate.
> certificate_file = ${certdir}/server.pem
>
> Have you done that?
In my case, CA_file does indeed refer to ca.pem as created by the
bootstrap script. So I'm assuming that I don't need to touch the
server.pem file as created.
I'd really like to understand what's wrong. Could wpa_supplicant be
somehow incompatible with
the bootstrap certificate chain?
Thanks
More information about the Freeradius-Users
mailing list