CA Chain

Jeffrey Sewell jeffrey.sewell at gmail.com
Mon Jan 22 17:16:16 CET 2007


Than you.

So if I understand this correctly, radiusd is not looking for a
directory with checksum'd certificates, just one file with all the
certficates in it?

Our implementation is still in the design phase and is not using LDAP
but we will be testing LDAP at a later date so I will keep your advice
in mind.

JS

On 1/22/07, Reimer Karlsen-Masur, DFN-CERT <karlsen-masur at dfn-cert.de> wrote:
> Jeffrey Sewell wrote:
> > In the eap.conf, tls section, the comments say to use the 'CA_path'
> > variable in the radiusd.conf file to indicate where the trusted CA
> > chain will reside. However, this variable isn't in the tls section of
> > the radiusd.conf file (it is in the LDAP section, but I'm pretty sure that
> > won't help me) or the eap.conf file (where I thought it might
> > have moved). As an experiment, I added it to eap.conf and it loaded ok
> > with the following output:
> >
> > tls: CA_path = "/usr/local/etc/raddb/certs/rootCA"
> > ...
> > tls: CA_file = "(null)"
> >
> > Unfortunately the CA_file is the imporant one as I discovered when I
> > tested the link:
> >
> > Fri Jan 19 09:51:05 2007 : Error: TLS Alert write:fatal:unknown CA
> >
> > So where is the appropriate place for the root chain?
>
> for eap-tls and eap-ttls in eap.conf in the eap section and thereof in the
> tls section put the server certificate of your radius server into the file
>
> eap {
> ...
>   tls {
> ...
>     private_key_file = ${raddbdir}/certs/radius-server-key.pem
>     certificate_file = ${raddbdir}/certs/radius-server-cert-and-chain.pem
> ...
>   }
> ...
> }
> and then *add* the appropriate chain ca certificates to this file.
>
> Additionally if you do *not* use eap-tls you want CA_path= point to an
> existing *empty* directory and you do *not* want to specify the CA_file option.
>
> eap {
> ...
>   tls {
> ...
>     # CA_file = /dev/null
>     CA_path = ${raddbdir}/certs/trustedCAs-emptydir/
>     verify_depth = 1
> ...
>   }
> ...
> }
>
> If you were looking to use the radius server as *LDAP client* to a backend
> LDAP database above options are not relevant for the LDAP client part. In
> this case you need to fiddle with the options in radiusd.conf under modules
> and thereof under the ldap section:
>
> modules {
> ...
>   ldap {
> ...
>     # start_tls = no
>     # tls_cacertfile =
> ${raddbdir}/certs/trusted-root-CA-certs-for-ldap-server.pem
>     # tls_cacertdir =
> ${raddbdir}/certs/trusted-root-CA-certs-dir-for-ldap-server/
>     # tls_keyfile = ${raddbdir}/certs/radius-ldap-client-key.pem
>     # tls_certfile = ${raddbdir}/certs/radius-ldap-client-cert-and-chain.pem
>     # tls_randfile = ${raddbdir}/certs/rnd
>     # tls_require_cert = "demand"
> ...
>   }
> ...
> }
>
> HTH
>
> --
> Beste Gruesse / Kind Regards
>
> Reimer Karlsen-Masur
> --
> Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), DFN-CERT Services GmbH
> DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
> Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
>
> 14. DFN-CERT Workshop und Tutorien, CCH Hamburg, 7.-8. Februar 2007
> Infos/Anmeldung unter: https://www.dfn-cert.de/events/ws/2007/
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
>



More information about the Freeradius-Users mailing list