The EAP Saga begins.
Evan Vittitow
evan at terralab.com
Mon Jan 29 02:23:38 CET 2007
>
> To repeat my previous email - xsupplicant does not have a CA cert that
> allows it to trust the server.
>
> The line:
>
> Loaded root certificate /etc/raddb/certs/cert-clt.pem
>
> ...looks wrong. It looks as if you've told xsupp that the CA cert is
> the client cert, which it isn't. They're different things.
>
> In FreeRadius, the "eap.conf" file will have:
>
> eap {
> tls {
> certificate_file = /path/to/file.pem
> }
> }
>
> ...and if you run (against that file):
>
> openssl x509 -noout -text -in /path/to/file.pem |
> egrep '(Subject|Issuer):'
>
> ...you'll get something like:
>
> Issuer: C=US, O=MyOrg, OU=MyCA, CN=My Certificate Authority
> Subject: C=US, O=MyOrg, OU=MyCA, CN=wireless.myorg.com
>
> The certificate you supply to the CLIENT as the *CA* must be the
> ISSUER cert - that is, the one with:
>
> Subject: C=US, O=MyOrg, OU=MyCA, CN=My Certificate Authority
>
> I would glance at the xsupp documentation to give more advice but the
> crapforge^Wsourceforge docs links appears to lead in a loop. This is
> one reason amongst many others you should seriously consider using
> wpa_supplicant on the clients.
I have a feeling that I've ruined my CA, and I need to re-create my
FreeRadius CA. Now, I've re-examined how to make a CA repeatedly, and
everything says something different. my CA.pl is located on
/etc/pki/tls/misc
Given this is the case, from scratch, what is the best way to create a
"Fresh" CA for FreeRadius. I've tried multiple documents from Ubuntu to
RedHat, (Mandriva doesn't offer any documentation themselves.) So, in
the absense of qualified docs, recommendation?
More information about the Freeradius-Users
mailing list