Sending CA certificate during EAP-TLS
Rafa Marín López
rafa.marinlopez at gmail.com
Wed Jun 20 18:10:12 CEST 2007
Reimer Karlsen-Masur, DFN-CERT escribió:
Hi Karlsen,
thanks for the answer, please see inline...
>
> Argh, your misunderstanding is because of the inline
> documentation/default setup of the eap config file.
>
> *Trusted* CAs for client auth are stored in
>
> CA_file
>
> or
>
> CA_path
>
> So there is no conflict here with certificate_file option.
>
> And IMO usually CA_file and certificate_file should *not* contain the
> same CA certs
Well in my current configuration I have the RADIUS server certificate in
certificate_file and CA certificate in CA_file.
But with that configuration , the radius server is still sending the CA
certificate.
Having said that , your proposal was to not include the CA certificate
in the RADIUS server certificate (in certificate_file variable)
My RADIUS server certificate does not have the CA certificate included.
Even so, the RADIUS server is including the CA certificate :(...
any alternative solution?.
> because I guess in the majority of cases the RADIUS server cert is
> issued by some (commercial) server CA where as the client certs are
> mostly issued by some home grown user CA.
>
> Saying that there might be cases where the CA certificates from
> CA_file are indeed the CA chain certs of the RADIUS server
> certificate.....
>
> ------------------------------------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list