Hi, 2013/9/16 <A.L.M.Buxey@lboro.ac.uk>
we've had no problems with self-signed CA or with 3rd party CA and standard RADIUS certificate BUT the certificate must have CRLDP (CRL distribution point) URL defined. that can either be at CA level or RADIUS level - or both.
eg
crlDistributionPoints = URI:http://yoururl.here/ca.crl
in the server extensions.
Thank you Alan, at least good to hear someone is out there who got it working. Hmm the server certificate though seems to contain a CRLDP. I'v tried removing personal and attach the openssl output at the end, maybe someone spots a problem... Do you happen to have Subject Alternate Names or would you avoid it with RADIUS? (That certificate does have them) I know for example that some exotic or (very old) browsers for example can have problems with SAN, but yet didn't encounter any with PEAP this far. The file also contains (in order of appearance): Root CA cert, 1 intermediate CA, then the server cert if that's of importance. -- Mathieu # openssl x509 -text -in /etc/freeradius/certs/myserver.pem Certificate: Data: Version: 3 (0x2) Serial Number: <snip!> Signature Algorithm: sha1WithRSAEncryption Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 2 Primary Intermediate Server CA Validity Not Before: <snip> Not After : <snip> Subject: ..., C= ... <snip> Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: snip! (yes it's larger than 1024 bit) ;-) Modulus: <snip> X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Subject Key Identifier: C7:A3:52:3B:4A:15:BD:0E:40:B9:71:95:1B:71:27:57:4E:3D:13:73 X509v3 Authority Key Identifier: keyid:11:DB:23:45:FD:54:CC:6A:71:6F:84:8A:03:D7:BE:F7:01:2F:26:86 X509v3 Subject Alternative Name: DNS: <snip!> X509v3 Certificate Policies: Policy: 2.23.140.1.2.2 Policy: 1.3.6.1.4.1.23223.1.2.3 CPS: http://www.startssl.com/policy.pdf User Notice: Organization: StartCom Certification Authority Number: 1 Explicit Text: This certificate was issued according to the Class 2 Validation requirements of the StartCom CA policy, reliance only for the intended purpose in compliance of the relying party obligations. X509v3 CRL Distribution Points: Full Name: URI:http://crl.startssl.com/crt2-crl.crl Authority Information Access: OCSP - URI:http://ocsp.startssl.com/sub/class2/server/ca CA Issuers - URI: http://aia.startssl.com/certs/sub.class2.server.ca.crt X509v3 Issuer Alternative Name: URI:http://www.startssl.com/ Signature Algorithm: sha1WithRSAEncryption <snip> -----BEGIN CERTIFICATE----- <snip> -----END CERTIFICATE-----