kjonca@o2.pl (Kamil Jońca) writes: [...]
I have copied new ca file to CA_path, and done c_rehash. What else should I do? BTW. excerpt from my eap.conf eap { default_eap_type = tls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = [.....] private_key_file = [....] certificate_file = ${confdir}/certs/wifi,beta-wifi-beta,2,1.pem certificate_file = ${confdir}/certs/wifi,beta-wifi-beta,2.5.pem dh_file = /etc/ssl/dh.pem random_file = /dev/urandom CA_path = ${cadir} check_cert_cn = %{User-Name} cipher_list = "DEFAULT" make_cert_command = "${certdir}/bootstrap"
[....]
It looks like problem is in --8<---------------cut here---------------start------------->8--- certificate_file = ${confdir}/certs/wifi,beta-wifi-beta,2,1.pem certificate_file = ${confdir}/certs/wifi,beta-wifi-beta,2.5.pem --8<---------------cut here---------------end--------------->8--- both of these certs are created for key from "private_key_file". One of them is signed by one CA ("old") and second by by my new CA. When client with cert signed by "new" CA wants connect it ends with first file which is signed by 'wrong" CA. (As I understand) I tried to bundle both certs into single file but with no success. So my question is: I have some certs for clients signed by OLD ca. I want to "migrate" gradually migrate to "new" CA. How can I make to use two CA's [1] and two cert file for server [2]? KJ [1] - it looks simple [2] - but this not -- http://wolnelektury.pl/wesprzyj/teraz/ Women, when they are not in love, have all the cold blood of an experienced attorney. -- Honor'e de Balzac