25 Jul
2008
25 Jul
'08
3:44 a.m.
On Thu, Jul 24, 2008 at 09:14:54PM +0200, Alan DeKok wrote:
Phil Mayers wrote:
Alan - it does look to my untrained eye as if the "client.crt" Makefile target in /etc/raddb/certs is signing the client key with the server key. Is this intentional, or a bug?
It's intentional. It's a perfectly valid use of certificate chains.
The idea is that you have one CA for your organization, and (perhaps) multiple RADIUS servers. Each server has it's own identity, and can issue it's own client certs for EAP-TLS. But client certs will work across multiple servers, because the servers are signed by the same CA.
Ah, I see.