definitively, I have a problem with eap-tls
Phil Mayers
p.mayers at imperial.ac.uk
Thu Jul 24 18:06:46 CEST 2008
>>
> ok :) I provide certificate files and eap.conf in a tar ball to not to
> post a mail too long.
> If I print user at example.com.pem in text form I see how radius is the
> issuer of the certificate. This is the default PKI and I don't know what
> I'm doing wrong.
> Thanks for your attention.
I get the exact same error at the CLI:
[pjm3 at localhost tmp]$ openssl verify -CAfile ca.pem < server.pem
stdin: OK
[pjm3 at localhost tmp]$ openssl verify -CAfile ca.pem <
user\@example.com.pem
stdin: /C=FR/ST=Radius/O=Example
Inc./CN=user at example.com/emailAddress=user at example.com
error 20 at 0 depth lookup:unable to get local issuer certificate
Your certificates are invalid:
* server.pem is signed by ca.pem, which is correct:
Issuer: C=FR, ST=Radius, L=Somewhere, O=Example
Inc./emailAddress=admin at example.com, CN=Example Certificate Authority
Subject: C=FR, ST=Radius, O=Example Inc., CN=Example Server
Certificate/emailAddress=admin at example.com
* user.pem is signed by *server.pem* which is WRONG
Issuer: C=FR, ST=Radius, O=Example Inc., CN=Example Server
Certificate/emailAddress=admin at example.com
Subject: C=FR, ST=Radius, O=Example Inc.,
CN=user at example.com/emailAddress=user at example.com
You have signed the user cert with the server cert, which is incorrect.
You must sign the user cert with the CA cert.
More information about the Freeradius-Users
mailing list