cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)

Phil Mayers p.mayers at imperial.ac.uk
Fri Jul 25 09:44:15 CEST 2008


On Thu, Jul 24, 2008 at 09:14:54PM +0200, Alan DeKok wrote:
>Phil Mayers wrote:
>> Alan - it does look to my untrained eye as if the "client.crt" Makefile
>> target in /etc/raddb/certs is signing the client key with the server
>> key. Is this intentional, or a bug?
>
>  It's intentional.  It's a perfectly valid use of certificate chains.
>
>  The idea is that you have one CA for your organization, and (perhaps)
>multiple RADIUS servers.  Each server has it's own identity, and can
>issue it's own client certs for EAP-TLS.  But client certs will work
>across multiple servers, because the servers are signed by the same CA.

Ah, I see.



More information about the Freeradius-Users mailing list