Hi Wouter Am 05.07.2016 um 20:31 schrieb Wouter:
Hi All,
On 3-7-2016 16:13, Wouter wrote:
I have been reading posts like these: http://lists.freeradius.org/pipermail/freeradius-users/2013-August/067987.ht... and trying to make it work with only the root CA in ca_file, together (both.pem in the listing above) with the intermediate cert, with the cert for tommie.example.com in it.. nothing helps. Again, all is working, but I'd like to get rid of the warning! Any help?
Anyone with a working configuration for FreeRADIUS with StartSSL certificates? Yep, still me.
I renewed our RADIUS server certificate unfortunately almost right before they changed their issuing CAs last year. Depending on your validation with them you might have another intermediate CA or even root CA so be careful at that point. What changed is in the time too is how StartSSL now gives you the signed server certificate. As of 1-2 months ago they gave a zip archive with the signed server certificate and the intermediate certificates combined for i.e. IIS, Apache and nginx formats. I've checked on another more recent certificate and it seems the nginx variant comes in the order of 1. server certificate, 2. intermediate certificate. In this case all you'd need is adding the right signing certificate at end of the combined file for nginx and be quite good to go. I have even left ca_file on 3.0.11+ as is by default and have the order of 1. server cert, 2. intermediate cert, 3. root CA and that seems to work for me. Concerning the warning: Am I guessing correctly you are on Windows? Even If all of this worked especially on BYOD Windows 8.1/10 boxes I have realized that even if users follow Windows' regular wizards it still presents them a hash of the certificate which isn't really helpful. (It just says "here is a hash do you accept?" no CA no common name is shown) In order to not make that thing pop up I had to give them WiFi XML profiles that (still) strictly check the issuing CA and the common name - that is what made that popup go away for me.* -- Mathieu * Disclaimer: I do use the service 802.1x-config.org operated by fellow list contributor Stefan Winter who again is related to eduroam CAT development. CAT simplified both my (admin) life and generates also simple installers for Windows taking care for the user importing the XML config the right way (If not part of eduroam you can actually get the CAT code and install your own instance that is)