cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Phil Mayers
p.mayers at imperial.ac.uk
Fri Jul 25 09:44:15 CEST 2008
On Thu, Jul 24, 2008 at 09:14:54PM +0200, Alan DeKok wrote:
>Phil Mayers wrote:
>> Alan - it does look to my untrained eye as if the "client.crt" Makefile
>> target in /etc/raddb/certs is signing the client key with the server
>> key. Is this intentional, or a bug?
>
> It's intentional. It's a perfectly valid use of certificate chains.
>
> The idea is that you have one CA for your organization, and (perhaps)
>multiple RADIUS servers. Each server has it's own identity, and can
>issue it's own client certs for EAP-TLS. But client certs will work
>across multiple servers, because the servers are signed by the same CA.
Ah, I see.
More information about the Freeradius-Users
mailing list