Hi All, On 6-4-2016 09:31, Stefan Winter wrote:
No. If your server certificate is from a CA, the client can verify that your server is genuine (if the client side is configured correctly to actually check CA and server name).
After days of work, I still cannot fixed this 100% correct. My client certs -signed by StartSSL- authenticate fine in this WPA2 Enterprise setup. What I cannot get to work is the authentication of my radius server with iPhones running iOS 9.3.2. I keep getting the cert warning that the domain is not trusted. Ofcourse I can choose for 'accept' after the warning, but this is not the best... I own the domain example.com and have a valid cert for server.example.com signed by StartSSL with "StartCom Class 1 DV Server CA". This cert is issued by "StartCom Certification Authority". Both the root CA and the intermediate CA are installed on the two iPhones. All three certs are in /etc/freeradius/certs/ . My EAP config is like this: certdir = ${confdir}/certs cadir = ${confdir}/certs ca_file = /etc/freeradius/certs/both.pem ca_path = /etc/freeradius/certs certificate_file = /etc/freeradius/certs/server.example.com.crt private_key_file = /etc/freeradius/certs/server.example.com.key I have been reading posts like these: http://lists.freeradius.org/pipermail/freeradius-users/2013-August/067987.ht... and trying to make it work with only the root CA in ca_file, together (both.pem in the listing above) with the intermediate cert, with the cert for tommie.example.com in it.. nothing helps. Again, all is working, but I'd like to get rid of the warning! Any help? Using FreeRADIUS on Ubuntu 14.04 with package 3.0.11-ppa2~trusty. Thank you!