Multiple radius servers with the same CA

Matt Harlum matt at
Wed Mar 24 11:34:55 CET 2010


is it possible that make server generated a new CA etc?

I'd recommend making a copy of the current CA cert on each machine and doing a diff

Matt Harlum

On 24/03/2010, at 9:21 PM, sphaero wrote:

> Hi All,
> I've been searching the archives for a while on some guidance into setting
> up multiple radius servers using the same CA for use with EAP/TTLS.
> I've generated a CA which is distributed to all the clients (i.e. SecureW2).
> I've got 2 radius servers for redundancy. All NAS devices have two radius
> server configured.
> I'm using the scripts from freeradius 2.0 to generate the certificates
> according to instructions in the README. I've setup the ca.cnf and
> server.cnf (not using eap/tls so I skip
> On the primary radius server I generated the certificates by issuing:
> make
> Now on the second radius server I just copy the following files:
> /certs/ca.pem
> /certs/ca.key
> /certs/ca.der
> /certs/*.cnf
> /certs/Makefile
> /certs/README
> /certs/xpextensions
> and issue: 
> make server
> make dh
> This seems to have worked. But is this really correct? 
> I'm renewing one radius server and did this procedure again but now I'm
> receiving "chain could not be validated" errors in SecureW2. Radius log
> seems fine however EAP communication is not finished which corresponds with
> the client stopping communication since it can't validate the certificate.
> I'm really getting lost in the SSL jungle? I would really like to understand
> how this is done right, since it is about security.
> Rg,
> Arnaud
> -- 
> View this message in context:
> Sent from the FreeRadius - User mailing list archive at
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list