Trusted CA, Signed Certs and Verification

A.L.M.Buxey at lboro.ac.uk A.L.M.Buxey at lboro.ac.uk
Fri Apr 4 17:32:33 CEST 2014


Hi,

> On windows machines we get a prompt saying that "Windows Cannot Verify the server's identity".
> On iOS when you view the certificate it says: "Not Verified"
> 
> This is confusing because we use a global CA Root (Digicert) that *is* already installed on all devices.

okay..so you have the root on the device.  but how is the RADIUS cert signed? is it signed
directly by the root ....usually there are intermediate certificate involved...

if so, the client probably wont have the intermediates installed....so there is a big gap
between the RADIUS cert and the root.....

how to fix?  you need to ensure that the RADIUS server hands out not only ITS cert, but also the intermediates...
so just concatenate the intermediates and the RADIUS cert into one single file and send that out
(configure that in the eap.conf file) instead. the client will receive the intermediates..which it can link
against the known/trusted CA...and the RADIUS cert which is can link to the intermediates.

all good.

alan


More information about the Freeradius-Users mailing list