Alan DeKok escribió:
Phil Mayers wrote:
Alan - it does look to my untrained eye as if the "client.crt" Makefile target in /etc/raddb/certs is signing the client key with the server key. Is this intentional, or a bug?
It's intentional. It's a perfectly valid use of certificate chains.
The idea is that you have one CA for your organization, and (perhaps) multiple RADIUS servers. Each server has it's own identity, and can issue it's own client certs for EAP-TLS. But client certs will work across multiple servers, because the servers are signed by the same CA.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sorry, only one more note. bootstrap command doesn't make client certs. you need to execute "make client.pem" to make it. I also assume that it is normal.