Hi,
Why do I want these cnf files in the certs directory? Honestly I expected to just place the certificate/key files there, link them in the config and be done.
those files provide a good starting point if you want to use your own self-signed cert - they provide required CA configuration and extensions.
The certificate is actually issued from a subCA. What do I have to consider when installing the cert, key and cacert in the FreeRadius server? Does the ca certificate need to be concatenated from the rootCA and also the subCA?
on the server, you need to have the CA and any intermediates concatenated into one file and read via the certificate_file option (ONLY use the CA_file if doing EAP-TLS!!)
What do I need to consider when it comes to installing the cacert to the clients (iOS, Android, Windows 7+, Linux, OS X). Does the certificate be a catted cert from the rootca cert and the subca cert?
just the CA root....as the intermediate is being fed to it from the server. you could install the intermediates too if the OS supports that.
I there anything else I need to consider? We're using TinyCA 0.7.5.
yes, ensure the cert you generate for the server contains the required extensions and ensure that the CA you are using is correct/proper for 802.1X on modern OSes (this is also something that you will need to keep an eye on as the OS vendors are changing their rules...) - so ensure theres no MD5 at all - all SHA1 (256 or better!) , ensure the CA contraints are set, ensure theres an OSCP marker even thouhg its not used (thanks Windows Phone!) alan