Multiple radius servers with the same CA

Matt Harlum matt at
Wed Mar 24 13:43:17 CET 2010


John covered pretty much everything I was going to say

I'd recommend choosing a machine to generate your keys and certs on and sticking with that, otherwise you'll end up with SSL Certs with clashing serial numbers 
Plus it'll allow you to revoke certificates later if need be

Matt Harlum

On 24/03/2010, at 11:30 PM, John Dennis wrote:

> On 03/24/2010 06:21 AM, sphaero wrote:
>> Hi All,
>> I've been searching the archives for a while on some guidance into setting
>> up multiple radius servers using the same CA for use with EAP/TTLS.
>> I've generated a CA which is distributed to all the clients (i.e. SecureW2).
>> I've got 2 radius servers for redundancy. All NAS devices have two radius
>> server configured.
>> I'm using the scripts from freeradius 2.0 to generate the certificates
>> according to instructions in the README. I've setup the ca.cnf and
>> server.cnf (not using eap/tls so I skip
>> On the primary radius server I generated the certificates by issuing:
>> make
>> Now on the second radius server I just copy the following files:
>> /certs/ca.pem
>> /certs/ca.key
>> /certs/ca.der
>> /certs/*.cnf
>> /certs/Makefile
>> /certs/README
>> /certs/xpextensions
>> and issue:
>> make server
>> make dh
>> This seems to have worked. But is this really correct?
>> I'm renewing one radius server and did this procedure again but now I'm
>> receiving "chain could not be validated" errors in SecureW2. Radius log
>> seems fine however EAP communication is not finished which corresponds with
>> the client stopping communication since it can't validate the certificate.
>> I'm really getting lost in the SSL jungle? I would really like to understand
>> how this is done right, since it is about security.
> It would help to read the Makefile and understand it. Your goal is to produce multiple certificates, each with a unique subject (e.g. the host name of the radius server) and have it signed by the ca. There is no need to do this process on each machine, the creation of certs can be done on any machine.
> Find the part of the Makefile which says this:
> "Create a new server certificate, signed by the above CA."
> If you make the target server.pem target (e.g. make server) it will cause the Makefile to execute a series of commands to produce the certificate starting with a CSR (Certificate Signing Request). Note, the server.csr target depends on server.cnf so make sure you edit this for each server whose certificate you want to generate (see the req(1) man page to understand how the certificate subject, e.g. DN, may be specified).
> But also note in the Makefile that server.crt is dependent on ca.key and ca.pem, which themselves are dependent on ca.cnf. If when you copy the files the ca.cnf file ends up with a newer timestamp than ca.key or ca.pem then a new ca will be created, you don't want that. You can either fix the timestamps using touch or just make all the certs on one machine so you don't have to worry about the ca being recreated.
> After you've created your certificates on the one machine (don't foget to rename the server.{crt,p12,pem} files) dump them out using
> openssl x509 -in XXX.pem -inform PEM -text
> and verify each has the certificate subject you expected.
> Then verify the each cert with:
> openssl verify -CAfile ca.pem XXX.pem
> If that succeeds you'll know each is successfully signed by the same ca and you can distribute that ca to your clients. Then copy your server certs to your RADIUS hosts, don't forget to edit the config so certificate names match how you named your certs (it will no longer be server.{crt,p12,pem}.
> -- 
> John Dennis <jdennis at>
> Looking to carve out IT costs?
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list