cert bootstrap bug? (was Re: definitely, I have a problem with eap-tls)

Andrew Hood freeradius at andyhood.net
Fri Aug 22 14:46:10 CEST 2008


Alan DeKok wrote:
> Andrew Hood wrote:
> 
>>Pardon me if I've missed something, but as far as I can tell the server
>>cert isn't authorised to sign client certs, so I can't see how it could
>>work. The CA can sign client certs.
> 
> 
>   There can be multiple levels of CA's.  Verisign, your company, the
> local division, etc.  This is all specifically allowed, and required, by
> SSL.

No argument there.

>   My suggestion was that maybe what's needed was to mark the server cert
> with the CA properties.  The server cert would then be an intermediate
> CA, which is Just Fine.

That's what Sergio seemed to be getting at in changing with the Makefile
to have a CA rather than the server sign the client cert. Is that the
better way?

Is the answer to give the server the right to sign the cert, and if so
how you do it so as to complete the root CA->server->client chain?

However, there may be multiple servers, each with its own cert. Why
should a client cert be signed by one server when it may be used with
other servers?

-- 
REALITY.SYS not found: Universe halted.



More information about the Freeradius-Users mailing list