On Wed, 29 Jun 2011 15:03:33 +0200, Alan DeKok <aland@deployingradius.com> wrote:
I thought it was some advanced chained root thing, but I never got it to work even once, so I wrote my own, but it sucks. I think it may be a bug, and you just reminded me of that. someone who knows what they're actually on about should investigate that and see if it needs fixin' or filin'. It's a bug. The simplest thing to do is to make the client cert signed by the CA cert. This might have been done already, but I don't recall.
Patches are welcome. I just checked 2.1.11 and that's fine. In raddb/certs/Makefile:
------- client.crt: client.csr ca.pem ca.key openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf ------- -- mandi, Marco