On Jan 14, 2020, at 2:43 PM, uj2.hahn@posteo.de wrote:
While I'm still struggling with my issue I read documentation again and again, especially about the cert documents. Now I'm so confused that I like to come back to some basic questions:
raddb/certs/README says:
$ vi client.cnf
Edit the "input_password" and "output_password" fields to be the password for the client certificate. You will have to give these passwords to the end user who will be using the certificates.
and later: $ make client.pem
The users certificate will be in "emailAddress.pem", i.e. "user@example.com.pem".
The bootstrap script is indeed creating this email-like certificate. But when I install it on the client PC there is no password needed (but installation is successfull).
Yes, a certificate doesn't need a signature.
But in addition the bootstrap script generates 5 more client files (client.pem, client.key etc.). When I install those I'm asked for the password (as expected). So: what is the correct file to load into the PC as client cert for EAP-TLS?
The client certificate, and the client key. The certificate has various forms (PEM, CRT, etc.). You only need one.
And one more question:
raddb/certs/README says:
MAKING A SERVER CERTIFICATE
The following steps will let you create a server certificate for use with TLS-based EAP methods, such as EAP-TLS, PEAP, and TTLS. Follow similar steps to create an "inner-server.pem" file, for use with EAP-TLS that is tunneled inside of another TLS-based EAP method.
The bootstrap script does not care about this inner-server.cfg config file and does not generate inner-server.pem. Is it correct? The Makefile does have an entry for that but this is not used by the bootstrap file. Is it on intention?
Yes. The inner-server certificate is used for mods-available/inner-eap. If you don't use that module, then the inner-server certificate isn't necessary. Alan DeKok.