WPA Enterprise Certificate renewal for FreeRadius
Mike Diggins
mike.diggins at mcmaster.ca
Mon Jan 9 20:26:48 CET 2012
On Mon, 9 Jan 2012, Phil Mayers wrote:
> On 09/01/12 17:42, Mike Diggins wrote:
>>
>> I use a Thawte Premium Server CA for my WPA2 Enterprise freeradius
>> authentication certificate currently. My eap.conf 'certificate file'
>> contains the certificate only, not the root and/or intermediates. That
>> seems to be ok, since most clients already have the Thawte Root
>> certificate installed.
>>
>> I renewed the new certificate just recently and discovered that Thawte
>> is no longer issuing certificates under the old root so my clients will
>> likely be asked to trust the new certificate when I install it. All my
>> documentation changes as well but that's another story.
>>
>> My question is, what is the value of adding the roots/intermediates to
>> the certificate file i.e certificate_file = ${certdir}/certificate.crt?
>> Does it really allow a client without the Root already installed to
>> verify this certificate?
>
> Most clients:
>
> 1. Have all the common "top-level" CAs installed
> 2. May or may not have the intermediate CAs
>
> We put the server & intermediate certs (NOT the top-level) into the cert
> file, and in our experience this lets all clients (Windows, MacOS, iOS,
> Android) connect without errors.
>
> I believe that, if the client really does lack the top-level CA, you're
> screwed. You will have to manually install at least the top-level cert,
> except on MacOS (and possibly iOS, but not sure).
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
Do the certificates need to be listed in any particular order in the
certificate_file?
-Mike
More information about the Freeradius-Users
mailing list