Sending CA certificate during EAP-TLS

Reimer Karlsen-Masur, DFN-CERT karlsen-masur at dfn-cert.de
Wed Jun 20 16:37:44 CEST 2007



Rafa Marin wrote:
> Hi Karlsen,
> 
> 2007/6/20, Reimer Karlsen-Masur, DFN-CERT <karlsen-masur at dfn-cert.de 
> <mailto:karlsen-masur at dfn-cert.de>>:
> 
>     Hi,
> 
>     in the file referenced by the option variable "certificate_file" in
>     the tls
>     section only put the server certificate (and optionally the private
>     key) of
>     your RADIUS server.
> 
> 
> I think this might work (after some tests i did). But my immediate 
> question is how the server is supposed to verify client certificate if 
> we don't configure any CA certificate?.

Argh, your misunderstanding is because of the inline documentation/default 
setup of the eap config file.

*Trusted* CAs for client auth are stored in

CA_file

or

CA_path

So there is no conflict here with certificate_file option.

And IMO usually CA_file and certificate_file should *not* contain the same 
CA certs because I guess in the majority of cases the RADIUS server cert is 
issued by some (commercial) server CA where as the client certs are mostly 
issued by some home grown user CA.

Saying that there might be cases where the CA certificates from CA_file are 
indeed the CA chain certs of the RADIUS server certificate.....

-- 
Beste Gruesse / Kind Regards

Reimer Karlsen-Masur

DFN-PKI FAQ: https://www.pki.dfn.de/faqpki
--
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5853 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070620/71c6bfd6/attachment.bin>


More information about the Freeradius-Users mailing list