Can I use two or more freeradius server certificates for the same virtual site?

Alan DeKok aland at
Thu Nov 1 15:08:00 CET 2018

On Nov 1, 2018, at 9:52 AM, work vlpl <thework.vlpl at> wrote:
> Yes, I know about it. But in my case I can not issue new server
> certificate from the same CA. That CA was bought by other CA, and now
> new certificates are signed with different root certificate.

  Ugh.  That's not nice.

> This
> cause some problems. Clients that verify server certificate using CA
> certificate that stored in radius configuration, now has broken trust
> chain.

  The problem is that TLS doesn't really allow for what you want.  When EAP-TLS (or PEAP or TTLS) starts up, there's no way for the client to signal which CA root it wants.

  Instead, what happens is this (roughly speaking)

client: let's do TLS!

server: Sure, here's my CA and server cert!

client:  Uh... not what I wanted, goodbye!

  The only way to signal which CA you want is by some other method.  i.e. changing the outer identities, as Christian suggested.

  Or, you could have a list of which systems (i.e. MAC address) use which certificates.  And then do:

	if (system is in group 1) {
		eap with old Ca cert
	else {
		eap with new CA cert

  There aren't really many other options.  TLS 1.3 is supposed to fix that, I think, but it's a long way from wide-spread use.

  Alan DeKok.

More information about the Freeradius-Users mailing list