rlm_eap_tls restrict issuer

Alan DeKok aland at ox.org
Mon Mar 6 23:40:59 CET 2006

Benjamin Bennett <ben at psc.edu> wrote:
> For example, if we have a root CA (A), that issues another CA cert (B),
> from which our client certs will be issued, our CA_file must contain
> both A & B certs to validate our clients. However, certs issued directly
> from A will then also be valid.

  Yes, this is currently how it works.  There's no real reason, other
than no one has added code to distinguish one cert from another.

> I'm about to add a check_cert_issuer (PW_TYPE_STRING_PTR) config option
> set to the DN of the issuer we want to use, and a string compare in
> cbtls_verify() just before the check_cert_cn happens. Does that sound
> about right?

  It should work.  Please submit the patch to bugs.freeradius.org, so
others can use it, too.

  Alan DeKok.

More information about the Freeradius-Devel mailing list