Quick question RE: FreeRADIUS Trusted Root CA List
Sebastian Heil
s3b0 at gmx.de
Sat Feb 2 10:30:52 CET 2008
-------- Original-Nachricht --------
> Datum: Fri, 1 Feb 2008 10:39:27 -0800
> Von: "Cerney, Lawrence" <Lawrence.Cerney at flukenetworks.com>
> An: freeradius-users at lists.freeradius.org
> Betreff: Quick question RE: FreeRADIUS Trusted Root CA List
> I work in a test environment and need to test with certs created with
> different CA's. I haven't been able to get more than one CA at a time
> to work. I've got 8 CA's and I need to keep 7 commented out for the
> certs to authenticate.
>
> The question is can FreeRADIUS support more than one CA at a time, and
> if so how?
>
> FreeRADIUS 1.0.0-Pre3
>
> tls {
> private_key_password = password
> private_key_file = /etc/1x/freeradius.pem
> #private_key_file = /etc/1x/server512.pem
> #private_key_file = /etc/1x/server1024.pem
> #private_key_file = /etc/1x/server1024v3.pem
> #private_key_file = /etc/1x/server1536.pem
> #private_key_file = /etc/1x/server2048.pem
> #private_key_file = /etc/1x/server4096.pem
>
> # If Private key & Certificate are located in
> # the same file, then private_key_file &
> # certificate_file must contain the same file
> # name.
> certificate_file = /etc/1x/freeradius.pem
> #certificate_file = /etc/1x/server512.pem
> #certificate_file = /etc/1x/server1024.pem
> #certificate_file = /etc/1x/server1024v3.pem
> #certificate_file = /etc/1x/server1536.pem
> #certificate_file = /etc/1x/server2048.pem
> #certificate_file = /etc/1x/server4096.pem
>
> # Trusted Root CA list
> CA_file = /etc/1x/FlukeNetWotter.pem
> #CA_file =
> /usr/local/etc/raddb/certs/PV_512_CA.pem
> #CA_file =
> /usr/local/etc/raddb/certs/PV_768_CA.pem
> #CA_file =
> /usr/local/etc/raddb/certs/PV_1024_CA.pem
> #CA_file =
> /usr/local/etc/raddb/certs/PV_1280_CA.pem
> #CA_file =
> /usr/local/etc/raddb/certs/PV_1536_CA.pem
> #CA_file =
> /usr/local/etc/raddb/certs/PV_1792_CA.pem
> #CA_file =
> /usr/local/etc/raddb/certs/PV_2048_CA.pem
> dh_file = ${raddbdir}/certs/dh
> random_file = ${raddbdir}/certs/random
> thanks...
>
> Larry
>
> This message (including any attachments) contains confidential
> and/or proprietary information intended only for the addressee.
> Any unauthorized disclosure, copying, distribution or reliance on
> the contents of this information is strictly prohibited and may
> constitute a violation of law. If you are not the intended
> recipient, please notify the sender immediately by responding to
> this e-mail, and delete the message from your system. If you
> have any questions about this e-mail please notify the sender
> immediately.
>
>
To trust more than one CA, you simply have to copy all the root-certificates into one file:
for example:
CA_file = /etc/1x/trustedcas.pem
I tested this with 3 CAs, and it works.
Do you really need 8 different server-certificates? So, how should the server decide which certificate he must send the client?
Sebastian
--
Psssst! Schon vom neuen GMX MultiMessenger gehört?
Der kann`s mit allen: http://www.gmx.net/de/go/multimessenger
More information about the Freeradius-Users
mailing list