Quick question RE: FreeRADIUS Trusted Root CA List
I work in a test environment and need to test with certs created with different CA's. I haven't been able to get more than one CA at a time to work. I've got 8 CA's and I need to keep 7 commented out for the certs to authenticate. The question is can FreeRADIUS support more than one CA at a time, and if so how? FreeRADIUS 1.0.0-Pre3 tls { private_key_password = password private_key_file = /etc/1x/freeradius.pem #private_key_file = /etc/1x/server512.pem #private_key_file = /etc/1x/server1024.pem #private_key_file = /etc/1x/server1024v3.pem #private_key_file = /etc/1x/server1536.pem #private_key_file = /etc/1x/server2048.pem #private_key_file = /etc/1x/server4096.pem # If Private key & Certificate are located in # the same file, then private_key_file & # certificate_file must contain the same file # name. certificate_file = /etc/1x/freeradius.pem #certificate_file = /etc/1x/server512.pem #certificate_file = /etc/1x/server1024.pem #certificate_file = /etc/1x/server1024v3.pem #certificate_file = /etc/1x/server1536.pem #certificate_file = /etc/1x/server2048.pem #certificate_file = /etc/1x/server4096.pem # Trusted Root CA list CA_file = /etc/1x/FlukeNetWotter.pem #CA_file = /usr/local/etc/raddb/certs/PV_512_CA.pem #CA_file = /usr/local/etc/raddb/certs/PV_768_CA.pem #CA_file = /usr/local/etc/raddb/certs/PV_1024_CA.pem #CA_file = /usr/local/etc/raddb/certs/PV_1280_CA.pem #CA_file = /usr/local/etc/raddb/certs/PV_1536_CA.pem #CA_file = /usr/local/etc/raddb/certs/PV_1792_CA.pem #CA_file = /usr/local/etc/raddb/certs/PV_2048_CA.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random thanks... Larry This message (including any attachments) contains confidential and/or proprietary information intended only for the addressee. Any unauthorized disclosure, copying, distribution or reliance on the contents of this information is strictly prohibited and may constitute a violation of law. If you are not the intended recipient, please notify the sender immediately by responding to this e-mail, and delete the message from your system. If you have any questions about this e-mail please notify the sender immediately.
-------- Original-Nachricht --------
Datum: Fri, 1 Feb 2008 10:39:27 -0800 Von: "Cerney, Lawrence" <Lawrence.Cerney@flukenetworks.com> An: freeradius-users@lists.freeradius.org Betreff: Quick question RE: FreeRADIUS Trusted Root CA List
I work in a test environment and need to test with certs created with different CA's. I haven't been able to get more than one CA at a time to work. I've got 8 CA's and I need to keep 7 commented out for the certs to authenticate.
The question is can FreeRADIUS support more than one CA at a time, and if so how?
FreeRADIUS 1.0.0-Pre3
tls { private_key_password = password private_key_file = /etc/1x/freeradius.pem #private_key_file = /etc/1x/server512.pem #private_key_file = /etc/1x/server1024.pem #private_key_file = /etc/1x/server1024v3.pem #private_key_file = /etc/1x/server1536.pem #private_key_file = /etc/1x/server2048.pem #private_key_file = /etc/1x/server4096.pem
# If Private key & Certificate are located in # the same file, then private_key_file & # certificate_file must contain the same file # name. certificate_file = /etc/1x/freeradius.pem #certificate_file = /etc/1x/server512.pem #certificate_file = /etc/1x/server1024.pem #certificate_file = /etc/1x/server1024v3.pem #certificate_file = /etc/1x/server1536.pem #certificate_file = /etc/1x/server2048.pem #certificate_file = /etc/1x/server4096.pem
# Trusted Root CA list CA_file = /etc/1x/FlukeNetWotter.pem #CA_file = /usr/local/etc/raddb/certs/PV_512_CA.pem #CA_file = /usr/local/etc/raddb/certs/PV_768_CA.pem #CA_file = /usr/local/etc/raddb/certs/PV_1024_CA.pem #CA_file = /usr/local/etc/raddb/certs/PV_1280_CA.pem #CA_file = /usr/local/etc/raddb/certs/PV_1536_CA.pem #CA_file = /usr/local/etc/raddb/certs/PV_1792_CA.pem #CA_file = /usr/local/etc/raddb/certs/PV_2048_CA.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random thanks...
Larry
This message (including any attachments) contains confidential and/or proprietary information intended only for the addressee. Any unauthorized disclosure, copying, distribution or reliance on the contents of this information is strictly prohibited and may constitute a violation of law. If you are not the intended recipient, please notify the sender immediately by responding to this e-mail, and delete the message from your system. If you have any questions about this e-mail please notify the sender immediately.
To trust more than one CA, you simply have to copy all the root-certificates into one file: for example: CA_file = /etc/1x/trustedcas.pem I tested this with 3 CAs, and it works. Do you really need 8 different server-certificates? So, how should the server decide which certificate he must send the client? Sebastian -- Psssst! Schon vom neuen GMX MultiMessenger gehört? Der kann`s mit allen: http://www.gmx.net/de/go/multimessenger
Hola, maybe of the point but you can use openssl´s built in tools to check CA, server and client certificates.
openssl "s_client" or "s_server"
// J Cerney, Lawrence wrote:
I work in a test environment and need to test with certs created with different CA's. I haven't been able to get more than one CA at a time to work. I've got 8 CA's and I need to keep 7 commented out for the certs to authenticate.
The question is can FreeRADIUS support more than one CA at a time, and if so how?
FreeRADIUS 1.0.0-Pre3
tls { private_key_password = password private_key_file = /etc/1x/freeradius.pem #private_key_file = /etc/1x/server512.pem #private_key_file = /etc/1x/server1024.pem #private_key_file = /etc/1x/server1024v3.pem #private_key_file = /etc/1x/server1536.pem #private_key_file = /etc/1x/server2048.pem #private_key_file = /etc/1x/server4096.pem
# If Private key & Certificate are located in # the same file, then private_key_file & # certificate_file must contain the same file # name. certificate_file = /etc/1x/freeradius.pem #certificate_file = /etc/1x/server512.pem #certificate_file = /etc/1x/server1024.pem #certificate_file = /etc/1x/server1024v3.pem #certificate_file = /etc/1x/server1536.pem #certificate_file = /etc/1x/server2048.pem #certificate_file = /etc/1x/server4096.pem
# Trusted Root CA list CA_file = /etc/1x/FlukeNetWotter.pem #CA_file = /usr/local/etc/raddb/certs/PV_512_CA.pem #CA_file = /usr/local/etc/raddb/certs/PV_768_CA.pem #CA_file = /usr/local/etc/raddb/certs/PV_1024_CA.pem #CA_file = /usr/local/etc/raddb/certs/PV_1280_CA.pem #CA_file = /usr/local/etc/raddb/certs/PV_1536_CA.pem #CA_file = /usr/local/etc/raddb/certs/PV_1792_CA.pem #CA_file = /usr/local/etc/raddb/certs/PV_2048_CA.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random thanks...
Larry
This message (including any attachments) contains confidential and/or proprietary information intended only for the addressee. Any unauthorized disclosure, copying, distribution or reliance on the contents of this information is strictly prohibited and may constitute a violation of law. If you are not the intended recipient, please notify the sender immediately by responding to this e-mail, and delete the message from your system. If you have any questions about this e-mail please notify the sender immediately.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/Quick-question-RE%3A-FreeRADIUS-Trusted-Root-CA-List-t... Sent from the FreeRadius - User mailing list archive at Nabble.com.
participants (3)
-
Cerney, Lawrence -
Jayal1972 -
Sebastian Heil