cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)

Alan DeKok aland at deployingradius.com
Thu Jul 24 21:14:54 CEST 2008


Phil Mayers wrote:
> Alan - it does look to my untrained eye as if the "client.crt" Makefile
> target in /etc/raddb/certs is signing the client key with the server
> key. Is this intentional, or a bug?

  It's intentional.  It's a perfectly valid use of certificate chains.

  The idea is that you have one CA for your organization, and (perhaps)
multiple RADIUS servers.  Each server has it's own identity, and can
issue it's own client certs for EAP-TLS.  But client certs will work
across multiple servers, because the servers are signed by the same CA.

  Alan DeKok.



More information about the Freeradius-Users mailing list