Sending CA certificate during EAP-TLS
Reimer Karlsen-Masur, DFN-CERT
karlsen-masur at dfn-cert.de
Wed Jun 20 16:37:44 CEST 2007
Rafa Marin wrote:
> Hi Karlsen,
>
> 2007/6/20, Reimer Karlsen-Masur, DFN-CERT <karlsen-masur at dfn-cert.de
> <mailto:karlsen-masur at dfn-cert.de>>:
>
> Hi,
>
> in the file referenced by the option variable "certificate_file" in
> the tls
> section only put the server certificate (and optionally the private
> key) of
> your RADIUS server.
>
>
> I think this might work (after some tests i did). But my immediate
> question is how the server is supposed to verify client certificate if
> we don't configure any CA certificate?.
Argh, your misunderstanding is because of the inline documentation/default
setup of the eap config file.
*Trusted* CAs for client auth are stored in
CA_file
or
CA_path
So there is no conflict here with certificate_file option.
And IMO usually CA_file and certificate_file should *not* contain the same
CA certs because I guess in the majority of cases the RADIUS server cert is
issued by some (commercial) server CA where as the client certs are mostly
issued by some home grown user CA.
Saying that there might be cases where the CA certificates from CA_file are
indeed the CA chain certs of the RADIUS server certificate.....
--
Beste Gruesse / Kind Regards
Reimer Karlsen-Masur
DFN-PKI FAQ: https://www.pki.dfn.de/faqpki
--
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5853 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070620/71c6bfd6/attachment.bin>
More information about the Freeradius-Users
mailing list