On Aug 8, 2005, at 9:39 AM, Landon Cox wrote:
I'm going to do some experiments later tonight and see if I can isolate the success factor.
Back on this topic for a moment...some things I tried to see if I could break the configuration were: 1) remove the certs from the /etc/ssl/certs directory, restart FR, no difference - still hooked up fine since the certs are also in raddb/certs. I decided to generate a client cert for a Mac box and when I imported it into the Keychain of OS X, I noticed "This certificate is not yet valid". I went back and looked at the output of the certificate generation and the "validity Not Before" gave a date/time stamp that was 1 hour future (my timezone setting was off by one hour.) But this made me wonder....was the unknown_ca problem caused by the CA cert having a "Not Valid Before" validity that was in the future from the real time when it was generated and then initially tested? Is this a possible cause for an unknown_ca error? Landon