It is not advised to use Certificates from a Public CA like VeriSign, CACert or others because every certificate created by any of these are accepted to authenticate against FR! Instead you should use your own CA. Or you specify that only certificates signed by a given issuer are allowed but that it not that secure. All files in /etc/raddb/certs can be deleted if you don't use the FR scripts to create certificates but have your own CA to create these. For FreeRADIUS you only need up to three files depending on what format your certificates and keys are. private_key_password = whatever private_key_file = ${certdir}/Server.key certificate_file = ${certdir}/Server.cer ca_file = ${cadir}/ChainedCa.cer Specify private_key_password only if the private key for your Server.cer has a password. If not, uncomment it. If your key has a password and you do not specify it, you'll have to enter it manually when starting FR. Point private_key_file to your FR Server certificate private key file. Point certificate_file to your FR Server certificate file Point ca_file to your CA certificate(s). ca_file should contain all certificates of the Certificate Chain. If the Chain is eg. Root CA cert > CA cert > FR Server cert then you need Root CA cert and CA cert in one file. Before you combine both certificates you have to check its contents. Each file should look like: -----BEGIN CERTIFICATE----- ..... -----END CERTIFICATE----- If you have human readable content before or after these two lines, delete it. It's just there for humans and all data shown is also stored in the gibberish data between these two lines above. If your Root-ca.cer and Ca.cer are ready to these two commands to combine them: cat Root-ca.cer > ChainedCA.cer cat Ca.cer >> ChainedCA.cer You now have two certificates in one file (ChainedCA.cer) and you specify this new file in FR as ca_file. Root-ca.cer and Ca.cer are not required anymore. 2015-06-18 2:40 GMT+02:00 Sunil Kulkarni -X (sunikulk - PERSISTENT SYSTEMS INC at Cisco) <sunikulk@cisco.com>:
Hello All,
I am using FR 3.0.8 version. I have done setup EAP-TTLS with PAP. For local setup and testing, I have used self-signed certificates. Now my setup and configuration is done and I want to do setup on production side. I have following certificates from CA, however, I am not getting how do I deploy certificates in FreeRadius because /etc/raddb/certs folder contains lots of certificate and its related to file. Root-ca.cer Ca.cer Server.cer
Kindly help me on this?
--- Thanks, Sunil Kulkarni
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html