WPA Enterprise Certificate renewal for FreeRadius
I use a Thawte Premium Server CA for my WPA2 Enterprise freeradius authentication certificate currently. My eap.conf 'certificate file' contains the certificate only, not the root and/or intermediates. That seems to be ok, since most clients already have the Thawte Root certificate installed. I renewed the new certificate just recently and discovered that Thawte is no longer issuing certificates under the old root so my clients will likely be asked to trust the new certificate when I install it. All my documentation changes as well but that's another story. My question is, what is the value of adding the roots/intermediates to the certificate file i.e certificate_file = ${certdir}/certificate.crt? Does it really allow a client without the Root already installed to verify this certificate? -Mike
Mike Diggins <mike.diggins@mcmaster.ca> wrote:
I use a Thawte Premium Server CA for my WPA2 Enterprise freeradius authentication certificate currently. My eap.conf 'certificate file' contains the certificate only, not the root and/or intermediates. That seems to be ok, since most clients already have the Thawte Root certificate installed.
I renewed the new certificate just recently and discovered that Thawte is no longer issuing certificates under the old root so my clients will likely be asked to trust the new certificate when I install it. All my documentation changes as well but that's another story.
My question is, what is the value of adding the roots/intermediates to the certificate file i.e certificate_file = ${certdir}/certificate.crt? Does it really allow a client without the Root already installed to verify this certificate?
No, if the client does not know/trust the root certificate, it will not work/ask the user. But it will help if the client only includes the root but not any intermediate certificates. So it is a good idea to append intermediate and root certificates (i.e. the whole chain to the root) to your server certificate. Grüße, Sven. -- Sigmentation fault. Core dumped.
On 09/01/12 17:42, Mike Diggins wrote:
I use a Thawte Premium Server CA for my WPA2 Enterprise freeradius authentication certificate currently. My eap.conf 'certificate file' contains the certificate only, not the root and/or intermediates. That seems to be ok, since most clients already have the Thawte Root certificate installed.
I renewed the new certificate just recently and discovered that Thawte is no longer issuing certificates under the old root so my clients will likely be asked to trust the new certificate when I install it. All my documentation changes as well but that's another story.
My question is, what is the value of adding the roots/intermediates to the certificate file i.e certificate_file = ${certdir}/certificate.crt? Does it really allow a client without the Root already installed to verify this certificate?
Most clients: 1. Have all the common "top-level" CAs installed 2. May or may not have the intermediate CAs We put the server & intermediate certs (NOT the top-level) into the cert file, and in our experience this lets all clients (Windows, MacOS, iOS, Android) connect without errors. I believe that, if the client really does lack the top-level CA, you're screwed. You will have to manually install at least the top-level cert, except on MacOS (and possibly iOS, but not sure).
On Mon, 9 Jan 2012, Phil Mayers wrote:
On 09/01/12 17:42, Mike Diggins wrote:
I use a Thawte Premium Server CA for my WPA2 Enterprise freeradius authentication certificate currently. My eap.conf 'certificate file' contains the certificate only, not the root and/or intermediates. That seems to be ok, since most clients already have the Thawte Root certificate installed.
I renewed the new certificate just recently and discovered that Thawte is no longer issuing certificates under the old root so my clients will likely be asked to trust the new certificate when I install it. All my documentation changes as well but that's another story.
My question is, what is the value of adding the roots/intermediates to the certificate file i.e certificate_file = ${certdir}/certificate.crt? Does it really allow a client without the Root already installed to verify this certificate?
Most clients:
1. Have all the common "top-level" CAs installed 2. May or may not have the intermediate CAs
We put the server & intermediate certs (NOT the top-level) into the cert file, and in our experience this lets all clients (Windows, MacOS, iOS, Android) connect without errors.
I believe that, if the client really does lack the top-level CA, you're screwed. You will have to manually install at least the top-level cert, except on MacOS (and possibly iOS, but not sure). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Do the certificates need to be listed in any particular order in the certificate_file? -Mike
Mike Diggins <mike.diggins@mcmaster.ca> wrote:
Do the certificates need to be listed in any particular order in the certificate_file?
I have had the best experience with the following order: Server-Cert frist then Intermedite-Cert [ then additional Intermedite-Certs ] then Root-Cert The Root-Cert can be omitted, but its presence made no difference in my environment. Grüße, Sven. -- Sigmentation fault. Core dumped.
On 01/09/2012 07:26 PM, Mike Diggins wrote:
Do the certificates need to be listed in any particular order in the certificate_file?
I have: server cert intermediate cert ...but as someone has reported having the opposite, I guess the answer is "any order". In theory, OpenSSL sorts all that out for you - the API FreeRADIUS calls is just "here is a key" followed by "here is a whole load of certs"
Hi,
My question is, what is the value of adding the roots/intermediates to the certificate file i.e certificate_file = ${certdir}/certificate.crt? Does it really allow a client without the Root already installed to verify this certificate?
for a client to validate a cert, it needs to already know and trust the CA for that cert - otherwise one half of the trust relationship is gone. IF you need to use an intermediate as well as the server cert, then by sending it down the link to the client, you can ensure the client will be happy with the server cert (so long as they trust the CA) if they havent already got the intermediate. alan
participants (4)
-
Alan Buxey -
Mike Diggins -
Phil Mayers -
Sven Hartge