cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)

Sergio sergioyebenes at alumnos.upm.es
Thu Jul 24 21:50:18 CEST 2008


Alan DeKok escribió:
> Phil Mayers wrote:
>   
>> Alan - it does look to my untrained eye as if the "client.crt" Makefile
>> target in /etc/raddb/certs is signing the client key with the server
>> key. Is this intentional, or a bug?
>>     
>
>   It's intentional.  It's a perfectly valid use of certificate chains.
>
>   The idea is that you have one CA for your organization, and (perhaps)
> multiple RADIUS servers.  Each server has it's own identity, and can
> issue it's own client certs for EAP-TLS.  But client certs will work
> across multiple servers, because the servers are signed by the same CA.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>   
But the debug I posted shows that radius doesn't recognize the issuer of 
client cert using default certs. If default certs works and I don't need 
to install server.pem and ca.pem into ssl/certs dir, what I'm forgetting 
alan?



More information about the Freeradius-Users mailing list