cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)

[Phil Mayers]

>>
> Yeah!! Then you're agree with me. I've been explaining (trying) in this 
> forum that client cert must be signed by ca cert. bootstrap command sign 
> client cert with server.key and this not works. The solution is to 
> replace de signing in certs/Makefile (-key server.key -cert server.pem 
> should be -key ca.key -cert ca.pem). Then , are you agree with me when I 

I think so.

> say, with fear and respect, that default radius PKI doesn't work?.

Hmm. Maybe; I guess most people test PEAP which just uses CA & server 
certs, no client certs.

I'm by no means an expert, and Makefile's make my brain hurt, so I could 
be misreading it.

Alan - it does look to my untrained eye as if the "client.crt" Makefile 
target in /etc/raddb/certs is signing the client key with the server 
key. Is this intentional, or a bug?

> Second: if I sign client certificates with ca.key I assume that I can't 
> manage de CRL because it sholud be signed with server.key, am I right?

I don't think so. Again, I think the CRL is signed with the CA key. Of 
course, you'll need run your own crl commands, the FreeRadius stuff 
doesn't come with that.