Remember when you put your Root CA file (and perhaps the CRL for that CA) into your certificate directory, and ran 'c_rehash <cert directory>'?
If you mean when I installed ssl certs for Apache, I never did this. I simply put the server cert and the chain file on the server, then configured mod_ssl with 2 required parameters - CertificateFile and CertificateChainFile. No (re)hashing was required.
Well - it's just like that. You might have had RootCA.pem with the Verisign CA certificate. Personally - I like to have a separate file for each intermediate CA certificate in the chain.
What i've got currently can be up to 3 files. Firstly, the server certificate itself, which has been signed by Verisign's Intermediate CA, then the cert for said Intermediate CA, and finally the root cert used to sign the Intermediate CA. My current setup is with the server cert in a file on it's own (jrs-radius02.pem is the cert, jrs-radius02.key is the keyfile), and the intermediate and root certs in the same file (verisign.pem. Intermediate cert at the top, root cert at the bottom). I then have the following config lines in the tls section of eap.conf for FreeRADIUS to reference these files: private_key_file = ${certdir}/jrs-radius02/jrs-radius02.key certificate_file = ${certdir}/jrs-radius02/jrs-radius02.pem CA_file = ${certdir}/jrs-radius02/verisign.pem
When you think you are done - you can test the validity of your new certificate like this:
openssl verify -crl_check -CApath <certificate path> /path/to/certificate-file/server.pem.cert
I've actually dropped the -crl_check from this test, as i'm not doing crl checking within FreeRADIUS until i've got it working without it. Also, this command didn't seem to work when my verisign.pem contained > 1 cert, even after a c_rehash, it only worked if all the certs were in individual files: jrs-radius02:/etc/freeradius/certs/jrs_radius02# openssl verify -CApath . jrs-radius02.pem jrs-radius02.pem: OK As such, I also tried commenting out CA_file in eap.conf and instead having: CA_path = ${certdir}/jrs-radius02/ With all my certs in individual files, but that gave the same behaviour, i.e. that on my client it shows me the certificate it got passed, for the jrs-radius02 server, but it doesn't have a certificate chain back to a known trusted root.
Hope this helps. Give it a go and let us know if you have any problems.
This still appears to be failing to pass the certificate chain. The root cert *definitely* exists on my test client (I extracted it from there and diffed it with the one on the server). If I install the intermediate cert on the client, then everything works fine (but I don't want to have to try and get my users to understand the process of installing a cert before getting online). However when Windows XP prompts me to accept the certificate FreeRADIUS is handing out it doesn't have any chain listed at all, so I assume is still not being handed that Intermediate cert. Thanks very much for the help so far. Any more would be greatly appreciated. I can attach full config files if you think that would be helpful. Dan
On Fri, Feb 13, 2009 at 12:11 PM, Meyers, Dan <d.meyers@lancaster.ac.uk> wrote:
I'm sure I must just be being thick with our FreeRADIUS config, but i've completed failed to find anything online or in the docs explaining *what* i'm doing wrong, so i'm posting here.
We've had a FreeRADIUS server set up for some time now, with an SSL certificate directly signed by one of Verisign's root CA's, for the purposes of doing EAP-TLS domain auth. This worked fine on both FreeRADIUS 1.1.7 and 2.0.5. However our cert is due to expire in a month, and it would appear no one issues root signed certs any more, they're all cert chains. Obviously with things like apache this is fine, as you install the chain bundle file at the same time as your actual cert, and the chain gets passed to the client, who follows it to a root CA they do already trust. I'm having trouble working out how to do this with FreeRADIUS however. All the info I can find suggests that if I edit my certificate file so that it contains multiple certs, from least trusted at the top (my server cert) down the chain and file to the one which has been signed by a root CA the user's machine will already trust, then machines will follow the chain as expected and accept the certificate. However if I do this, and have a chain file of the same format as I use successfully on the web server (i.e. multiple BEGIN and END blocks with a single cert between each pair), then my client machines still fail to pick up the chain, and thus can't validate the certificate.
Am I missing something blindingly obvious with regards to how to do certificate chains in FreeRADIUS? If so, please tell me what.
Thanks