On Aug 4, 2024, at 3:50 PM, Rolf Harald Holmvik <rolf.harald.holmvik@gmail.com> wrote:
I'm testing EAP-TLS for WPA3 Enterprise Wi-Fi authentication, and I'm having trouble getting FreeRADIUS to trust the intermediate certificate in the client chain. Hopefully someone on this mailing list can point me in the right direction to get it working. I'd like to eventually set "reject_unknown_intermediate_ca = yes", but can't until I get FreeRADIUS to trust the legitimate intermediate certificate.
Unfortunately the issue here seems to be OpenSSL. I don't recall the exact reasons, but for some reason OpenSSL is deciding that the intermediate certificate is untrusted, even though FreeRADIUS has given it the entire certificate chain. We'll try to figure out why, but in the mean time you can just ignore the message. If you control the root CA, it's likely that it won't issue intermediate CAs which are unknown to you. Alan DeKok.