What i've got currently can be up to 3 files. Firstly, the server certificate itself, which has been signed by Verisign's Intermediate CA, then the cert for said Intermediate CA, and finally the root cert used to sign the Intermediate CA. My current setup is with the server cert in a file on it's own (jrs-radius02.pem is the cert, jrs-radius02.key is the keyfile), and the intermediate and root certs in the same file (verisign.pem. Intermediate cert at the top, root cert at the bottom). I then have the following config lines in the tls section of eap.conf for FreeRADIUS to reference these files:
private_key_file = ${certdir}/jrs-radius02/jrs-radius02.key certificate_file = ${certdir}/jrs-radius02/jrs-radius02.pem CA_file = ${certdir}/jrs-radius02/verisign.pem
When you think you are done - you can test the validity of your new certificate like this:
openssl verify -crl_check -CApath <certificate path> /path/to/certificate-file/server.pem.cert
I've actually dropped the -crl_check from this test, as i'm not doing crl checking within FreeRADIUS until i've got it working without it. Also, this command didn't seem to work when my verisign.pem contained > 1 cert, even after a c_rehash, it only worked if all the certs were in individual files:
jrs-radius02:/etc/freeradius/certs/jrs_radius02# openssl verify -CApath .. jrs-radius02.pem jrs-radius02.pem: OK
What? openssl verify -CAfile verisign.pem jrs-radius02.pem isn't working? Then something is wrong with your chain file. Check that you are using the correct root certificate and cat certificates again in a new bundle. Ivan Kalik Kalik Informatika ISP