Hi Matthew, Thanks for your reply. If I configure the ca_path, it does not multi-tenancy because the CA certificates will exist in one path, and if I use a client certificate from the other tenant's CA, it will pass, right? So, how can I ensure the client will use the proper CA to verify certificates based on their tenant If I can get tenant information from the request? Thanks. On Wed, Nov 8, 2023 at 5:47 PM Matthew Newton via Freeradius-Users < freeradius-users@lists.freeradius.org> wrote:
On 08/11/2023 08:42, James Fan wrote:
Hi, we have a case that, with multi-tenancy, there will be multiple CA certificates in our FreeRadius server, so we need to load the certificate chains dynamically. But when I use the statements below, I can't include the CA certificates in the certificate files I set. The TLS-Session-Cert-File looks like it is only for the server certificate and intermediate CA certificates. Is there any chance of dynamic loading certificate chains with root CA certificates?
Why? The client already has the root CA cert installed which is uses to verify the server certificate that you send. You don't need to send the root to the client again.
If you want to use different root CAs on the server to verify client certificates (e.g. with EAP-TLS) from different roots then either configure ca_path in the eap module, or make duplicate eap module instances and call the appropriate one depending on the incoming request.
authenticate { ... Auth-Type eap { if ("%{unpack:&EAP-Message 4 byte}" == 1) { update control { TLS-Session-Cert-File := "${certdir}/realms/%{Realm}" } } eap
"eap" here should be inside the "Auth-Type eap" section.
} ... }
-- Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html