śr., 2 sie 2023 o 14:27 Alan DeKok <aland@deployingradius.com> napisał(a):
On Aug 2, 2023, at 3:18 AM, Maciej Kowalka <maciejkowalkati@gmail.com> wrote:
a) put certificates into the folder (and rehash as necessary)
So I have both intermediate-ca.pem and ca.pem in the folder, do I need to c_rehash it?(in eap file rehash is mentioned only for CA and CRL)
An intermediate CA is still a CA. You still need to run c_rehash.
b) put the certificates into one file in order
Do you mean like “cat intermediate-ca.pem ca.pem > int-ca_ca.pem”?
See mods-available/eap, "certificate_file". It has lots of comments.
What may be happening is that you don't have the intermediate certificate. i.e. only the end-user device has them. So perhaps double-check that.
I do have the intermediate-ca.pem in the same folder as ca.pem, but don't know if I need to add something in the eap config file to let freeradius know it.
An intermediate CA is still a CA. All CAs go into "ca_path".
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
In the config: Ca_file points to ca.pem Ca_path points to folder containing both ca.pem and intermediate.pem # When using "ca_file" or "ca_path", the # "certificate_file" should contain only # "server.pem". And then you may (or may not) need # to set "auto_chain", depending on your version of # OpenSSL. Certificate_file points to server.pem Auto_chain is set to “yes” SSL version is 3.0.9 Done c_rehash for the folder with certs, freeradius restarted, but in debug I still see the same warnings: Warning: Certificate chain - 1 cert(s) untrusted Warning: (TLS) untrusted certificate with depth [1] subject name /C=PL/ST=MyState/O=MyOrg/CN=Intermediate CA Warning: (TLS) untrusted certificate with depth [0] subject name /C=PL/ST=MyState/O=MyOrg/CN=client