cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)

Sergio sergioyebenes at alumnos.upm.es
Fri Jul 25 15:20:54 CEST 2008


Reveal MAP escribió:
> HOW TO FIX THE PROBLEM OF THE ISSUER of clients certificates in 
> default configuration?
>
> - this bug is suspected to make i can't do EAP-PEAP and affect the CRL 
> management too. it's a real problem
>
>
>
> ----- Message d'origine ----
> De : Alan DeKok <aland at deployingradius.com>
> À : FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Envoyé le : Jeudi, 24 Juillet 2008, 19h54mn 32s
> Objet : Re: cert bootstrap bug? (was Re: definitively, I have a 
> problem with eap-tls)
>
> Sergio wrote:
> > But the debug I posted shows that radius doesn't recognize the issuer of
> > client cert using default certs. If default certs works and I don't need
> > to install server.pem and ca.pem into ssl/certs dir, what I'm forgetting
> > alan?
>
>   You need to follow the documentation in eap.conf.
>
>             #  If CA_file (below) is not used, then the
>             #  certificate_file below MUST include not
>             #  only the server certificate, but ALSO all
>             #  of the CA certificates used to sign the
>             #  server certificate.
>             certificate_file = ${certdir}/server.pem
>
>   Have you done that?
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>
> ------------------------------------------------------------------------
> Envoyé avec Yahoo! Mail 
> <http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html>.
> Une boite mail plus intelligente.
>
But I think this problem do not affect peap because peap do not use 
client certs, you only need to install ca.der into client machine and 
put the passwords




More information about the Freeradius-Users mailing list