Phil Mayers escribió:
ok :) I provide certificate files and eap.conf in a tar ball to not to post a mail too long. If I print user@example.com.pem in text form I see how radius is the issuer of the certificate. This is the default PKI and I don't know what I'm doing wrong. Thanks for your attention.
I get the exact same error at the CLI:
[pjm3@localhost tmp]$ openssl verify -CAfile ca.pem < server.pem stdin: OK
[pjm3@localhost tmp]$ openssl verify -CAfile ca.pem < user\@example.com.pem stdin: /C=FR/ST=Radius/O=Example Inc./CN=user@example.com/emailAddress=user@example.com error 20 at 0 depth lookup:unable to get local issuer certificate
Your certificates are invalid:
* server.pem is signed by ca.pem, which is correct:
Issuer: C=FR, ST=Radius, L=Somewhere, O=Example Inc./emailAddress=admin@example.com, CN=Example Certificate Authority
Subject: C=FR, ST=Radius, O=Example Inc., CN=Example Server Certificate/emailAddress=admin@example.com
* user.pem is signed by *server.pem* which is WRONG
Issuer: C=FR, ST=Radius, O=Example Inc., CN=Example Server Certificate/emailAddress=admin@example.com
Subject: C=FR, ST=Radius, O=Example Inc., CN=user@example.com/emailAddress=user@example.com
You have signed the user cert with the server cert, which is incorrect. You must sign the user cert with the CA cert.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Yeah!! Then you're agree with me. I've been explaining (trying) in this forum that client cert must be signed by ca cert. bootstrap command sign client cert with server.key and this not works. The solution is to replace de signing in certs/Makefile (-key server.key -cert server.pem should be -key ca.key -cert ca.pem). Then , are you agree with me when I say, with fear and respect, that default radius PKI doesn't work?. Second: if I sign client certificates with ca.key I assume that I can't manage de CRL because it sholud be signed with server.key, am I right? what do you think about this? Thanks