Multiple radius servers with the same CA

John Dennis jdennis at
Wed Mar 24 16:34:24 CET 2010

On 03/24/2010 11:13 AM, sphaero wrote:
> Matt Harlum wrote:
>> Hi,
>> John covered pretty much everything I was going to say
>> I'd recommend choosing a machine to generate your keys and certs on and
>> sticking with that, otherwise you'll end up with SSL Certs with clashing
>> serial numbers
>> Plus it'll allow you to revoke certificates later if need be
>> Regards,
>> Matt Harlum
>> On 24/03/2010, at 11:30 PM, John Dennis wrote:
>>> On 03/24/2010 06:21 AM, sphaero wrote:
>>>> Hi All,
>>>> I've been searching the archives for a while on some guidance into
>>>> setting
>>>> up multiple radius servers using the same CA for use with EAP/TTLS.
>>>> I've generated a CA which is distributed to all the clients (i.e.
>>>> SecureW2).
>>>> I've got 2 radius servers for redundancy. All NAS devices have two
>>>> radius
>>>> server configured.
>>>> I'm using the scripts from freeradius 2.0 to generate the certificates
>>>> according to instructions in the README. I've setup the ca.cnf and
>>>> server.cnf (not using eap/tls so I skip
>>>> On the primary radius server I generated the certificates by issuing:
>>>> make
>>>> Now on the second radius server I just copy the following files:
>>>> /certs/ca.pem
>>>> /certs/ca.key
>>>> /certs/ca.der
>>>> /certs/*.cnf
>>>> /certs/Makefile
>>>> /certs/README
>>>> /certs/xpextensions
>>>> and issue:
>>>> make server
>>>> make dh
>>>> This seems to have worked. But is this really correct?
>>>> I'm renewing one radius server and did this procedure again but now I'm
>>>> receiving "chain could not be validated" errors in SecureW2. Radius log
>>>> seems fine however EAP communication is not finished which corresponds
>>>> with
>>>> the client stopping communication since it can't validate the
>>>> certificate.
>>>> I'm really getting lost in the SSL jungle? I would really like to
>>>> understand
>>>> how this is done right, since it is about security.
>>> It would help to read the Makefile and understand it. Your goal is to
>>> produce multiple certificates, each with a unique subject (e.g. the host
>>> name of the radius server) and have it signed by the ca. There is no need
>>> to do this process on each machine, the creation of certs can be done on
>>> any machine.
>>> Find the part of the Makefile which says this:
>>> "Create a new server certificate, signed by the above CA."
>>> If you make the target server.pem target (e.g. make server) it will cause
>>> the Makefile to execute a series of commands to produce the certificate
>>> starting with a CSR (Certificate Signing Request). Note, the server.csr
>>> target depends on server.cnf so make sure you edit this for each server
>>> whose certificate you want to generate (see the req(1) man page to
>>> understand how the certificate subject, e.g. DN, may be specified).
>>> But also note in the Makefile that server.crt is dependent on ca.key and
>>> ca.pem, which themselves are dependent on ca.cnf. If when you copy the
>>> files the ca.cnf file ends up with a newer timestamp than ca.key or
>>> ca.pem then a new ca will be created, you don't want that. You can either
>>> fix the timestamps using touch or just make all the certs on one machine
>>> so you don't have to worry about the ca being recreated.
>>> After you've created your certificates on the one machine (don't foget to
>>> rename the server.{crt,p12,pem} files) dump them out using
>>> openssl x509 -in XXX.pem -inform PEM -text
>>> and verify each has the certificate subject you expected.
>>> Then verify the each cert with:
>>> openssl verify -CAfile ca.pem XXX.pem
>>> If that succeeds you'll know each is successfully signed by the same ca
>>> and you can distribute that ca to your clients. Then copy your server
>>> certs to your RADIUS hosts, don't forget to edit the config so
>>> certificate names match how you named your certs (it will no longer be
>>> server.{crt,p12,pem}.
>>> --
>>> John Dennis<jdennis at>
>>> Looking to carve out IT costs?
>>> -
> Hi all,
> Thanks for these clarifications. So to clear this up I know have one machine
> to generate the certificates. This machine had it's CA setup according to
> instructions found in the certs/README distributed with FR 2.
> Certificates for a second radius server (radius2) using the same CA are
> generated as follow:
> # Certificate request (.csr) en key (.key)
> openssl req -new  -out radius2.csr -keyout lx0008.key -config ./server.cnf
> # Certificate (.crt)
> openssl ca -batch -keyfile ca.key -cert ca.pem -in radius2.csr  -key
> $PASSWORD_CA -out radius2.crt -extensions xpserver_ext -extfile xpextensions
> -config ./server.cnf
> # p12
> openssl pkcs12 -export -in radius2.crt -inkey radius2.key -out radius2.p12
> -passin pass:$PASSWORD_SERVER -passout pass:$PASSWORD_SERVER
> # PEM
> openssl pkcs12 -in radius2.p12 -out radius2.pem -passin
> (Ofcourse the password vars are replaced with the vars in the ca.cnf&
> server.cnf)
> I then copy the following files onto this second radius server:
> radius2.pem and ca.pem
> Finally I generate a dh file on the second radius server:
> openssl dhparam -out dh 1024
> Bump, still doesn't work :(
> I'm still doing something wrong?

Did you edit your eap.conf file to point to radius2.pem? Did you set 
your private_key_password in eap.conf to match $PASSWORD_CA used above? 
BTW, don't use the same password as in the example ;-)

Did you verify the certs as suggested above?

Saying something doesn't work isn't helpful, the log output would be 

John Dennis <jdennis at>

Looking to carve out IT costs?

More information about the Freeradius-Users mailing list