On Apr 8, 2025, at 1:07 PM, adam <adamham@gmail.com> wrote:
I have some queries I hope someone can help me with.
1) Pre-loading certificates:
https://github.com/FreeRADIUS/freeradius-server/blob/release_3_2_7/raddb/cer...
I have set realm_dir in our eap module as suggested. As per:
Once the realm_dir configuration has been added, the selection of certificates is identical to that described in the previous section. Just set TLS-Session-Cert-File, and the server will figure it out.
… I have added the unlang statement suggested in https://github.com/FreeRADIUS/freeradius-server/blob/release_3_2_7/raddb/cer...
That should be OK.
Q: Is there a way to know if a certificate chain has been pre-loaded/cached? I can’t find reference in the debug output at startup or during the EAP/TTLS conversation. The file is definitely parsed by the server (if I remove the private key from the chain the server will complain if a corresponding key file is not present), but it would be useful for me to see if a cached file is being used or not.
There's no debug log which says that. I'll add one.
Unless I have misunderstood the documentation, my realm_dir and the directory I have set in the unlang statement are the same. So certificate chains are pre-loaded from this directory on startup, and also added to that directory during runtime for dynamic loading.
Yes.
Q: In the event that a certificate chain is pre-loaded/cached, and the file in the realms directory changed during runtime (e.g. certificate renewal) is it safe to assume the cached chain is used until a server restart?
Yes. The cached file isn't reloaded.
2) File format
I have followed https://github.com/FreeRADIUS/freeradius-server/blob/release_3_2_7/raddb/cer... and also placed the private key at the top of each file.
You can also put the private key into a separate ".key" file.
In the "preloading-certificate-chains" section it states:
Each file in that directory should be a PEM encoded certificate chain, as described in the previous section. For safety, every file must have a .pem as the filename extension. e.g. example.org.pem. If there is a corresponding private key, it should be placed into a .key file. e.g. example.org.key.
(emphasis on must)
Accordingly each of my certificate chain files have a '.pem' extension and I have to change the unlang expression so the files are found on startup and at runtime e.g.
" … TLS-Session-Cert-File := "${certdir}/realms/%{Realm}.pem" … "
Q: is the ".pem" file suffix still necessary? I ask as I have tested with and without and both work the same. I also ask in case this bears relevance to my first question.
For files loaded via TLS-Session-Cert-File, the file doesn't have to end in ".key".
Q: do I need to place my corresponding key in a separate file? I ask in case it has relevance to my first question. The server seems to work out if the private key is in the chain file or not, at startup.
The key doesn't have to be in a separate file. If it works... Alan DeKok.