Strange things with android phone

Kamil Jońca kjonca at o2.pl
Sat Aug 22 18:11:20 CEST 2015


kjonca at o2.pl (Kamil Jońca) writes:

[...]
> I have copied new ca file to CA_path, and done c_rehash. What else
> should I do?
> BTW. excerpt from my eap.conf
>   eap {
>                 default_eap_type = tls
>                 timer_expire     = 60
>                 ignore_unknown_eap_types = no
>                 cisco_accounting_username_bug = no
>                 max_sessions = 4096
>                 tls {
>                         certdir = ${confdir}/certs
>                         cadir = ${confdir}/certs
>                         private_key_password = [.....]
>                         private_key_file = [....]
>                         certificate_file = ${confdir}/certs/wifi,beta-wifi-beta,2,1.pem
>                         certificate_file =  ${confdir}/certs/wifi,beta-wifi-beta,2.5.pem
>                         dh_file = /etc/ssl/dh.pem
>                         random_file = /dev/urandom
>                         CA_path = ${cadir}
>                         check_cert_cn = %{User-Name}
>                         cipher_list = "DEFAULT"
>                         make_cert_command = "${certdir}/bootstrap"
>
>                         
> [....]

It looks like problem is in

--8<---------------cut here---------------start------------->8---
    certificate_file = ${confdir}/certs/wifi,beta-wifi-beta,2,1.pem
    certificate_file =  ${confdir}/certs/wifi,beta-wifi-beta,2.5.pem
--8<---------------cut here---------------end--------------->8---
both of these certs are created for key  from "private_key_file".
One of them is signed by one CA ("old")  and second by by my new CA.
When client with cert signed by "new" CA wants connect it ends with
first file which is signed by 'wrong" CA. (As I understand)

I tried to bundle both certs into single file but with no success.


So my question is:
I have some certs for clients signed by OLD ca.
I want to "migrate" gradually migrate to "new" CA.
How can I make to use two CA's [1] and two cert file for server [2]?

KJ
[1] - it looks simple
[2] - but this not

-- 
http://wolnelektury.pl/wesprzyj/teraz/
Women, when they are not in love, have all the cold blood of an experienced
attorney.
		-- Honor'e de Balzac



More information about the Freeradius-Users mailing list