<div dir="ltr">Hi Matthew<div class="gmail_extra"><br><div class="gmail_quote">2013/8/22 Matthew Ceroni <span dir="ltr"><<a href="mailto:matthewceroni@gmail.com" target="_blank">matthewceroni@gmail.com</a>></span><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
I read that for FreeRadius just combine the cert with the intermediate<br>
cert into one file and then reference that in eap.conf:certificate_file.<br>
<br>
I have done that but clients are still failing certificate validation.<br></blockquote><div><br></div><div>Honestly I also had some hassles with the certificate chain, now we </div><div>can configure clients to check both CA as well as certificate CN.</div>
<div><br></div><div>My experience was that I had to honor the certificate order and make sure to not include </div><div>unused intermediate certificates. That is: Don't include a full CA bundle from your CA stay</div>
<div>way below the 64k limit (<a href="http://wiki.freeradius.org/guide/Certificate%20Compatibility">http://wiki.freeradius.org/guide/Certificate%20Compatibility</a>)</div><div><br></div><div>I used OpenSSL to show both subject and issuer go through the chain of trust starting with </div>
<div>the server certificate, which in my case was StartCom.</div><div>You'll need to know where you can download all root and intermediate roots from your issuing CA.</div><div><br></div><div><div>openssl x509 -noout -in mysignedservercert.pem -subject -issuer</div>
<div> subject= <removed></div><div> issuer= /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA</div><div><br></div><div>After getting the Class 2 Primary Intermediate Server CA:</div>
<div>$ openssl x509 -noout -in sub.class2.server.ca.pem -subject -issuer<br></div><div> subject= /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA</div><div> issuer= /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority</div>
<div><br></div><div>And finally we're up in the chain:</div><div>$ openssl x509 -noout -in ca.pem -subject -issuer</div><div> subject= /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority</div>
<div> issuer= /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority</div><div><br></div><div># Build the cert bundle for freeradius</div><div>cat mysignedservercert.pem > myservercert-roots-bundled.pem</div>
<div>cat sub.class2.server.ca.pem >> myservercert-roots-bundled.pem</div><div>cat ca.pem >> myservercert-roots-bundled.pem</div><div><br></div><div>This resulted in an 8k file while StartSSL's CA bundle is 124k.</div>
</div><div><br></div><div>-- Mathieu</div></div></div></div>