Hi,

2013/9/16 <A.L.M.Buxey@lboro.ac.uk>

we've had no problems with self-signed CA or with 3rd party CA and standard
RADIUS certificate BUT the certificate must have CRLDP (CRL distribution point)
URL defined. that can either be at CA level or RADIUS level - or both.

eg

crlDistributionPoints = URI:http://yoururl.here/ca.crl

in the server extensions.
Thank you Alan, at least good to hear someone is out there who got it working.

Hmm the server certificate though seems  to contain a CRLDP. I'v tried removing personal 
and attach the openssl output at the end, maybe someone spots a problem...

Do you happen to have Subject Alternate Names or would you avoid it with RADIUS?
(That certificate does have them) I know for example that some exotic or (very old) 
browsers for example can have problems with SAN, but yet didn't encounter any with PEAP this far.

The file also contains (in order of appearance): Root CA cert, 1 intermediate CA, then the server cert if
that's of importance.

-- Mathieu

# openssl x509 -text -in /etc/freeradius/certs/myserver.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: <snip!>
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 2 Primary Intermediate Server CA
        Validity
            Not Before: <snip>
            Not After : <snip>
        Subject: ..., C= ... <snip>
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: snip! (yes it's larger than 1024 bit) ;-)
                Modulus:
                <snip>
                
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Subject Key Identifier:
                C7:A3:52:3B:4A:15:BD:0E:40:B9:71:95:1B:71:27:57:4E:3D:13:73
            X509v3 Authority Key Identifier:
                keyid:11:DB:23:45:FD:54:CC:6A:71:6F:84:8A:03:D7:BE:F7:01:2F:26:86

            X509v3 Subject Alternative Name:
                DNS: <snip!>
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.2
                Policy: 1.3.6.1.4.1.23223.1.2.3
                  CPS: http://www.startssl.com/policy.pdf
                  User Notice:
                    Organization: StartCom Certification Authority
                    Number: 1
                    Explicit Text: This certificate was issued according to the Class 2 Validation requirements of the StartCom CA policy, reliance only for the intended purpose in compliance of the relying party obligations.

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl.startssl.com/crt2-crl.crl

            Authority Information Access:
                OCSP - URI:http://ocsp.startssl.com/sub/class2/server/ca
                CA Issuers - URI:http://aia.startssl.com/certs/sub.class2.server.ca.crt

            X509v3 Issuer Alternative Name:
                URI:http://www.startssl.com/
    Signature Algorithm: sha1WithRSAEncryption
    <snip>
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----