CA Chain

Reimer Karlsen-Masur, DFN-CERT karlsen-masur at dfn-cert.de
Fri Jan 26 10:53:10 CET 2007


Jeffrey Sewell wrote:
> Thank you for your reply.
> 
> We are (with the exception of some prototype tests) going to be
> completely EAP-TLS.
> 
> Your answer brings me back to my original issue--the CA_path does not
> exist in the eap.conf file. If I add it, it doesn't seem to work (on
> 1.1.4).

Hm, here it does work. Have you run c_rehash in that directory? Are the
files and the directory readable by the radiusd process? Did you choose to
run radiusd under some other user than root?

> Just adding additional certs to the CA_file seems to work, but I'd
> prefer to have proper signed (c_reshash) sym-links.

??? This is not a signature, its some very short fingerprint of the
SubjectDN of the CA cert.

Have you set verify_depth = 0 for a start? You should set it probably to the
lowest positive integer (except 0) that your CA hierachie setup and your
client certs are working with.

Have you set check_crl = no to test if the CA certificate setup is working.
Later on you should set it to yes for obvious reasons and get uptodate CRLs.

-- 
Beste Gruesse / Kind Regards

Reimer Karlsen-Masur
--
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), DFN-CERT Services GmbH
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737

14. DFN-CERT Workshop und Tutorien, CCH Hamburg, 7.-8. Februar 2007
Infos/Anmeldung unter: https://www.dfn-cert.de/events/ws/2007/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7125 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070126/3bb88a15/attachment.bin>


More information about the Freeradius-Users mailing list