cert bootstrap bug? (was Re: definitely, I have a problem with eap-tls)

William Hegardt whegardt at gmail.com
Tue Aug 19 17:41:20 CEST 2008

I hate to resurrect this long thread from July 22-28, but I have the
same problem and never saw a resolution.

I'm using FreeRadius 2.0.5 on CentOS 5.2 with wpa_supplicant 0.6.4
(latest to date).

I'm using the bootstrap script to generate example certificates.
I also created a client certificate using make client.pem. I configured
wpa_supplicant with ca.pem, client.pem and client.key.

EAP-TLS authentication fails with the "fatal unknown ca" message.

If I hack the Makefile like Sergio mentioned last month to sign the
client certificate with
the CA key, then authentication succeeds.

In last month's thread, Alan DeKok posted:

>  You need to follow the documentation in eap.conf.
>                        #  If CA_file (below) is not used, then the
>                        #  certificate_file below MUST include not
>                        #  only the server certificate, but ALSO all
>                        #  of the CA certificates used to sign the
>                        #  server certificate.
>                        certificate_file = ${certdir}/server.pem
>  Have you done that?

In my case, CA_file does indeed refer to ca.pem as created by the
bootstrap script. So I'm assuming that I don't need to touch the
server.pem file as created.

I'd really like to understand what's wrong. Could wpa_supplicant be
somehow incompatible with
the bootstrap certificate chain?


More information about the Freeradius-Users mailing list