EAP TLS against multiple certificates?

Alan DeKok aland at deployingradius.com
Wed May 3 16:14:45 CEST 2017

On May 3, 2017, at 9:36 AM, David Hartburn <D.J.Hartburn at kent.ac.uk> wrote:
> I remove the comments from the config snipped I posted to make it more readable for the list, but they do exist in my original configuration.
> 		#  In general, you should use self-signed
> 		#  certificates for 802.1x (EAP) authentication.
> 		#  In that case, this CA file should contain
> 		#  *one* CA certificate.
> To me this suggests it is not possible to have more than one certificate. Is this correct?

  No.  It suggests that in some cases you want to use one CA cert.  In other cases, you can use multiple CA certs.

> If so, any suggestions on how we can solve this issue or is it a case of finding every SHA1 client and forcing them to update their cert?

  What cert is where?  Do you mean the clients are using certs with SHA1?  Or the CA cert?  Please be specific.

  And either way, the only way to upgrade the client (client cert or CA cert) is to put the new certs onto the client.

> The ideal solution would be to be able to support a SHA1 chain and a SHA256 chain as a migratory step, dropping the SHA1 in the near future. The only other option was to have a 'change day' when both the servers and clients all changed. It looks like that change day may have unexpectedly become today!

  You can use multiple CA certs.

  Alan DeKok.

More information about the Freeradius-Users mailing list