CA Chain

Reimer Karlsen-Masur, DFN-CERT karlsen-masur at dfn-cert.de
Mon Jan 22 13:53:14 CET 2007 

Jeffrey Sewell wrote:
> In the eap.conf, tls section, the comments say to use the 'CA_path'
> variable in the radiusd.conf file to indicate where the trusted CA
> chain will reside. However, this variable isn't in the tls section of
> the radiusd.conf file (it is in the LDAP section, but I'm pretty sure that
> won't help me) or the eap.conf file (where I thought it might
> have moved). As an experiment, I added it to eap.conf and it loaded ok
> with the following output:
> 
> tls: CA_path = "/usr/local/etc/raddb/certs/rootCA"
> ...
> tls: CA_file = "(null)"
> 
> Unfortunately the CA_file is the imporant one as I discovered when I
> tested the link:
> 
> Fri Jan 19 09:51:05 2007 : Error: TLS Alert write:fatal:unknown CA
> 
> So where is the appropriate place for the root chain?

for eap-tls and eap-ttls in eap.conf in the eap section and thereof in the
tls section put the server certificate of your radius server into the file

eap {
...
  tls {
...
    private_key_file = ${raddbdir}/certs/radius-server-key.pem
    certificate_file = ${raddbdir}/certs/radius-server-cert-and-chain.pem
...
  }
...
}
and then *add* the appropriate chain ca certificates to this file.

Additionally if you do *not* use eap-tls you want CA_path= point to an
existing *empty* directory and you do *not* want to specify the CA_file option.

eap {
...
  tls {
...
    # CA_file = /dev/null
    CA_path = ${raddbdir}/certs/trustedCAs-emptydir/
    verify_depth = 1
...
  }
...
}

If you were looking to use the radius server as *LDAP client* to a backend
LDAP database above options are not relevant for the LDAP client part. In
this case you need to fiddle with the options in radiusd.conf under modules
and thereof under the ldap section:

modules {
...
  ldap {
...
    # start_tls = no
    # tls_cacertfile =
${raddbdir}/certs/trusted-root-CA-certs-for-ldap-server.pem
    # tls_cacertdir =
${raddbdir}/certs/trusted-root-CA-certs-dir-for-ldap-server/
    # tls_keyfile = ${raddbdir}/certs/radius-ldap-client-key.pem
    # tls_certfile = ${raddbdir}/certs/radius-ldap-client-cert-and-chain.pem
    # tls_randfile = ${raddbdir}/certs/rnd
    # tls_require_cert = "demand"
...
  }
...
}

HTH

-- 
Beste Gruesse / Kind Regards

Reimer Karlsen-Masur
--
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), DFN-CERT Services GmbH
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737

14. DFN-CERT Workshop und Tutorien, CCH Hamburg, 7.-8. Februar 2007
Infos/Anmeldung unter: https://www.dfn-cert.de/events/ws/2007/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7125 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070122/5cf24456/attachment.bin>

More information about the Freeradius-Users mailing list