EAP-TLS certificate question

K. Hoercher wbhoer at gmail.com
Fri Jan 19 11:55:23 CET 2007


On 1/17/07, kemas <k_henry at ramayana.co.id> wrote:
> I still confuse about certificate, is all client certificate created
> under 1 root ca, can be authenticated against freeradius that started
> with different server certificate?
>
> is it possible to set things like this
>
>                         root ca
>                       ------------
>                     /     |       \
>                   /       |        \
>                 /         |         \
>         server1         server2     server3
>         -------         -------     -------
>            |              |           |
>            |              |           |
>         client1         client2     client3
>
> I don't want client1 to be authenticated against server2 or server3.
>

1. client certificates that are "under 1 root ca" are are accepted
with respect to the SSL/TLS side of things (other restrictions you
implement/configure notwithstanding). The 1 root ca would be the one
you tell the server to trust in CA_file. There might be even more as
one, which should then reside in a place referenced in CA_path.

2. the servers' certficates are accepted by the supplicant if _they_
trust the pertinent root ca.

3. All those root cas being identical is in no way mandatory, while
they might (often) be.

4. I'm not sure how to interpret your schema above. If construed to
mean that client certifcates have to be in some way issued from the
servers' certificates, that is wrong (as in "don't need to be") and
while perhaps technically possible, ill advised from the SSL/TLS point
of view.

Good starting points for further reading would be RFCs 2716 and 2246,
maybe documentation of openssl.

Regards
K. Hoercher



More information about the Freeradius-Users mailing list