Strange things with android phone

Arran Cudbard-Bell a.cudbardb at freeradius.org
Sat Aug 22 18:23:13 CEST 2015 

> On 22 Aug 2015, at 12:11, Kamil Jońca <kjonca at o2.pl> wrote:
> 
> kjonca at o2.pl (Kamil Jońca) writes:
> 
> [...]
>> I have copied new ca file to CA_path, and done c_rehash. What else
>> should I do?
>> BTW. excerpt from my eap.conf
>>  eap {
>>                default_eap_type = tls
>>                timer_expire     = 60
>>                ignore_unknown_eap_types = no
>>                cisco_accounting_username_bug = no
>>                max_sessions = 4096
>>                tls {
>>                        certdir = ${confdir}/certs
>>                        cadir = ${confdir}/certs
>>                        private_key_password = [.....]
>>                        private_key_file = [....]
>>                        certificate_file = ${confdir}/certs/wifi,beta-wifi-beta,2,1.pem
>>                        certificate_file =  ${confdir}/certs/wifi,beta-wifi-beta,2.5.pem
>>                        dh_file = /etc/ssl/dh.pem
>>                        random_file = /dev/urandom
>>                        CA_path = ${cadir}
>>                        check_cert_cn = %{User-Name}
>>                        cipher_list = "DEFAULT"
>>                        make_cert_command = "${certdir}/bootstrap"
>> 
>> 
>> [....]
> 
> It looks like problem is in
> 
> --8<---------------cut here---------------start------------->8---
>    certificate_file = ${confdir}/certs/wifi,beta-wifi-beta,2,1.pem
>    certificate_file =  ${confdir}/certs/wifi,beta-wifi-beta,2.5.pem
> --8<---------------cut here---------------end--------------->8---
> both of these certs are created for key  from "private_key_file".
> One of them is signed by one CA ("old")  and second by by my new CA.
> When client with cert signed by "new" CA wants connect it ends with
> first file which is signed by 'wrong" CA. (As I understand)
> 
> I tried to bundle both certs into single file but with no success.
> 
> 
> So my question is:
> I have some certs for clients signed by OLD ca.
> I want to "migrate" gradually migrate to "new" CA.
> How can I make to use two CA's [1] and two cert file for server [2]?

Concatenate them together in the same CA file.

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150822/77c8058d/attachment.sig>

More information about the Freeradius-Users mailing list