ok :) I provide certificate files and eap.conf in a tar ball to not
to post a mail too long.
If I print user@example.com.pem in text form I see how radius is the
issuer of the certificate. This is the default PKI and I don't know
what I'm doing wrong.
Thanks for your attention.
I get the exact same error at the CLI:
[pjm3@localhost tmp]$ openssl verify -CAfile ca.pem < server.pem
stdin: OK
[pjm3@localhost tmp]$ openssl verify -CAfile ca.pem <
user\@example.com.pem
stdin: /C=FR/ST=Radius/O=Example
Inc./CN=user@example.com/emailAddress=user@example.com
error 20 at 0 depth lookup:unable to get local issuer certificate
Your certificates are invalid:
* server.pem is signed by ca.pem, which is correct:
Issuer: C=FR, ST=Radius, L=Somewhere, O=Example
Inc./emailAddress=admin@example.com, CN=Example Certificate Authority
Subject: C=FR, ST=Radius, O=Example Inc., CN=Example Server
Certificate/emailAddress=admin@example.com
* user.pem is signed by *server.pem* which is WRONG
Issuer: C=FR, ST=Radius, O=Example Inc., CN=Example Server
Certificate/emailAddress=admin@example.com
Subject: C=FR, ST=Radius, O=Example Inc.,
CN=user@example.com/emailAddress=user@example.com
You have signed the user cert with the server cert, which is
incorrect. You must sign the user cert with the CA cert.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html