On Thu, 1 Nov 2018 at 18:57, Alan DeKok <aland@deployingradius.com> wrote:
Which certificate do you mean? The client trusts the CA cert. The server cert is derived from that.
The server certificate, that configured by option `certificate_file` in `tls-config tls-common` section (eap module)
If you're using the same CA cert, just change the server certificate. All clients should accept the new server certificate automatically.
Yes, I know about it. But in my case I can not issue new server certificate from the same CA. That CA was bought by other CA, and now new certificates are signed with different root certificate. This cause some problems. Clients that verify server certificate using CA certificate that stored in radius configuration, now has broken trust chain. The idea of using two certificates aims to avoid similar problems in the future.
Not really in the way that you're asking. Because it shouldn't be necessary.
Ok, I got it. Thank you very much for your answers. -- Vladimir