cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Sergio
sergioyebenes at alumnos.upm.es
Thu Jul 24 21:50:18 CEST 2008
Alan DeKok escribió:
> Phil Mayers wrote:
>
>> Alan - it does look to my untrained eye as if the "client.crt" Makefile
>> target in /etc/raddb/certs is signing the client key with the server
>> key. Is this intentional, or a bug?
>>
>
> It's intentional. It's a perfectly valid use of certificate chains.
>
> The idea is that you have one CA for your organization, and (perhaps)
> multiple RADIUS servers. Each server has it's own identity, and can
> issue it's own client certs for EAP-TLS. But client certs will work
> across multiple servers, because the servers are signed by the same CA.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
But the debug I posted shows that radius doesn't recognize the issuer of
client cert using default certs. If default certs works and I don't need
to install server.pem and ca.pem into ssl/certs dir, what I'm forgetting
alan?
More information about the Freeradius-Users
mailing list