About the file pointed at by setting "certificate_file"

Axel Luttgens axel.luttgens at skynet.be
Mon Sep 8 15:11:26 CEST 2014 

Le 8 sept. 2014 à 14:31, Alan DeKok a écrit :

> Axel Luttgens wrote:
>> It "works", in the sense that a client connecting thru TTLS receives both certificates, which is exactly what I want. :-)
> 
> OK.
> 
>> Now, it is true that I currently don't implement TLS.
> 
> What does that mean?  EAP-TLS is enabled in v3 by adding a "tls {...}"
> block to mods-available/eap.  Then, creating client certificates and
> adding them to the clients.

Hello Alan,

Reading that part of the comments:

		#  This parameter is used only for EAP-TLS,
		#  when you issue client certificates.  If you do
		#  not use client certificates, and you do not want
		#  to permit EAP-TLS authentication, then delete
		#  this configuration item.
		ca_file = /path/to/my_root_ca_cert.pem

I was under the impression that EAP-TLS authentication attempts wouldn't be allowed by FR when commenting out the "ca_file = ..." line.
Since I currently haven't made any provision for EAP-TLS (handling of client certificates and so on), this could perhaps be a good thing.


>> Putting above comments together, it seems that I could thus comment out the "ca_file = ..." line,
>> and merge both certificates, my_server_cert.pem and my_root_ca_cert.pem, into a single file, say "my_combined_certs". And then define:
>> 		certificate_file = /path/to/my_combined_certs
> 
> To do what?

Currently, to disallow EAP-TLS auths.
Moreover, should I later decide to implement certificate-based authentications, this wouldn't happen thru certificates emitted by my ad hoc Root CA, but thru certificates emitted by an intermediary CA certified by my Root CA; my current "ca_file = ..." setting would thus be wrong anyway.

Therfore, that comment:

		#  If ca_file (below) is not used, then the
		#  certificate_file below MUST include not
		#  only the server certificate, but ALSO all
		#  of the CA certificates used to sign the
		#  server certificate.
		certificate_file = /path/to/my_server_cert.pem

seemed to support both the ideas of not having to worry now about EAP-TLS auth attempts and of having a config consistent with what might happen here in the future.

Of course, my understanding of those comments may be completely wrong, and I thus wanted to get some feedback before erring in the dark...


>  [...]

>> Would a simple cat of the two certificates (currently in PEM format) be sufficient?
> 
> How about trying it?

Yes, of course. ;-)


Axel

More information about the Freeradius-Users mailing list