/certs does not work as-is. See http://bugs.freeradius.org/show_bug.cgi?id=614 I fixed mine by changing the script to sign the client with the CA in stead of the server. While there are a number of way to go about it this was the most expedient. There is also an unrelated problem that causes the CA to only last 30 days. See here http://bugs.freeradius.org/show_bug.cgi?id=615 Use /certs with care! -Ted- tnt@kalik.net wrote:
my radius server though is running on server1 and I think that my failure is related to the fact that I'm generating the certificates and signing them with server2.
Yes. Same CA has to be used for server and client certificates.
So my questions...
1. Do I set up server1 to be its own CA or do I still use server2 as the CA?
Both ways can work.
2. If server2 is the CA, do I then generate the request on server1, copy it to server2 and then sign it on server2?
Or you can copy the CA certificate to server1, generate csr and sign it there.
3. Does anyone see any problems with these methods of generating certificates ? (openssl on Linux)
You have such stuff in freeradius /certs directory. Feel free to compare.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.