6 Mar
2006
6 Mar
'06
5:40 p.m.
Benjamin Bennett <ben@psc.edu> wrote:
For example, if we have a root CA (A), that issues another CA cert (B), from which our client certs will be issued, our CA_file must contain both A & B certs to validate our clients. However, certs issued directly from A will then also be valid.
Yes, this is currently how it works. There's no real reason, other than no one has added code to distinguish one cert from another.
I'm about to add a check_cert_issuer (PW_TYPE_STRING_PTR) config option set to the DN of the issuer we want to use, and a string compare in cbtls_verify() just before the check_cert_cn happens. Does that sound about right?
It should work. Please submit the patch to bugs.freeradius.org, so others can use it, too. Alan DeKok.