cert bootstrap bug? (was Re: definitely, I have a problem with eap-tls)

Alan DeKok aland at deployingradius.com
Sat Aug 23 07:06:44 CEST 2008

Andrew Hood wrote:
> That's what Sergio seemed to be getting at in changing with the Makefile
> to have a CA rather than the server sign the client cert. Is that the
> better way?

  It's a different way.  The question you want to ask is if the *CA*
issues client certificates, or if the *server* does.

  e.g. If all RADIUS servers in your organization are managed by the
same administrators, and authenticate the same people, then the client
certs should be signed by the CA.

  If the RADIUS servers are managed by different administrators, and
authenticate different sets of people, then the client certs should be
signed by the server cert.

> Is the answer to give the server the right to sign the cert, and if so
> how you do it so as to complete the root CA->server->client chain?

  See the ca.cnf file for how to mark a certificate as a CA.

> However, there may be multiple servers, each with its own cert. Why
> should a client cert be signed by one server when it may be used with
> other servers?

  It all depends on your local configuration and needs.  See above.

  Alan DeKok.

More information about the Freeradius-Users mailing list