definitively, I have a problem with eap-tls

Sergio sergioyebenes at alumnos.upm.es
Thu Jul 24 18:41:21 CEST 2008 

Phil Mayers escribió:
>>>
>> ok :) I provide certificate files and eap.conf in a tar ball to not 
>> to post a mail too long.
>> If I print user at example.com.pem in text form I see how radius is the 
>> issuer of the certificate. This is the default PKI and I don't know 
>> what I'm doing wrong.
>> Thanks for your attention.
>
> I get the exact same error at the CLI:
>
> [pjm3 at localhost tmp]$ openssl verify -CAfile ca.pem  < server.pem
> stdin: OK
>
> [pjm3 at localhost tmp]$ openssl verify -CAfile ca.pem  < 
> user\@example.com.pem
> stdin: /C=FR/ST=Radius/O=Example 
> Inc./CN=user at example.com/emailAddress=user at example.com
> error 20 at 0 depth lookup:unable to get local issuer certificate
>
> Your certificates are invalid:
>
>  * server.pem is signed by ca.pem, which is correct:
>
> Issuer: C=FR, ST=Radius, L=Somewhere, O=Example 
> Inc./emailAddress=admin at example.com, CN=Example Certificate Authority
>
> Subject: C=FR, ST=Radius, O=Example Inc., CN=Example Server 
> Certificate/emailAddress=admin at example.com
>
>  * user.pem is signed by *server.pem* which is WRONG
>
> Issuer: C=FR, ST=Radius, O=Example Inc., CN=Example Server 
> Certificate/emailAddress=admin at example.com
>
> Subject: C=FR, ST=Radius, O=Example Inc., 
> CN=user at example.com/emailAddress=user at example.com
>
>
> You have signed the user cert with the server cert, which is 
> incorrect. You must sign the user cert with the CA cert.
>
>
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>
Yeah!! Then you're agree with me. I've been explaining (trying) in this 
forum that client cert must be signed by ca cert. bootstrap command sign 
client cert with server.key and this not works. The solution is to 
replace de signing in certs/Makefile (-key server.key -cert server.pem 
should be -key ca.key -cert ca.pem). Then , are you agree with me when I 
say, with fear and respect, that default radius PKI doesn't work?.
Second: if I sign client certificates with ca.key I assume that I can't 
manage de CRL because it sholud be signed with server.key, am I right?

what do you think about this?

Thanks

More information about the Freeradius-Users mailing list