iOS doesn't trust server certificate signed by intermediate issuer
Matthew Newton
mcn at freeradius.org
Fri Dec 4 03:05:07 CET 2020
On 03/12/2020 21:01, Igor Sousa wrote:
> I created a bundle with intermediate and root certificates, in this order
> an. I configured the /etc/freeradius/mods-enabled/eap as below:
> private_key_file = <path for server private key that I created>
> certificate_file = <new path for server.pem received from GlobalSign>
> ca_file = <path to ca.bundle obtained by cat intermediate.pem >> ca.bundle
> and cat root.pem >> ca.bundle>
That's not right, unless you are using EAP-TLS and want anyone with a
certificate generated by GlobalSign to be able to authenticate.
private_key_file should be a .pem file with the private key.
certificate_file should be a .pem file containing the server certificate
and the intermediate certificate, in that order.
Don't set ca_file at all.
Don't put the GlobalSign root CA in any of the files. The clients have
that already to check that the server cert is genuine.
--
Matthew
More information about the Freeradius-Users
mailing list