Remember when you put your Root CA file (and perhaps the CRL for that CA) into your certificate directory, and ran 'c_rehash <cert directory>'? Well - it's just like that. You might have had RootCA.pem with the Verisign CA certificate. Personally - I like to have a separate file for each intermediate CA certificate in the chain. When you think you are done - you can test the validity of your new certificate like this: openssl verify -crl_check -CApath <certificate path> /path/to/certificate-file/server.pem.cert Hope this helps. Give it a go and let us know if you have any problems. -- Matt On Fri, Feb 13, 2009 at 12:11 PM, Meyers, Dan <d.meyers@lancaster.ac.uk> wrote:
I'm sure I must just be being thick with our FreeRADIUS config, but i've completed failed to find anything online or in the docs explaining *what* i'm doing wrong, so i'm posting here.
We've had a FreeRADIUS server set up for some time now, with an SSL certificate directly signed by one of Verisign's root CA's, for the purposes of doing EAP-TLS domain auth. This worked fine on both FreeRADIUS 1.1.7 and 2.0.5. However our cert is due to expire in a month, and it would appear no one issues root signed certs any more, they're all cert chains. Obviously with things like apache this is fine, as you install the chain bundle file at the same time as your actual cert, and the chain gets passed to the client, who follows it to a root CA they do already trust. I'm having trouble working out how to do this with FreeRADIUS however. All the info I can find suggests that if I edit my certificate file so that it contains multiple certs, from least trusted at the top (my server cert) down the chain and file to the one which has been signed by a root CA the user's machine will already trust, then machines will follow the chain as expected and accept the certificate. However if I do this, and have a chain file of the same format as I use successfully on the web server (i.e. multiple BEGIN and END blocks with a single cert between each pair), then my client machines still fail to pick up the chain, and thus can't validate the certificate.
Am I missing something blindingly obvious with regards to how to do certificate chains in FreeRADIUS? If so, please tell me what.
Thanks
-- Dan Meyers Network Specialist, Lancaster University E-Mail: d.meyers@lancaster.ac.uk
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html