CA certificates

jehan procaccia jehan.procaccia at it-sudparis.eu
Fri Sep 5 17:49:32 CEST 2008 

hello,

we are running our own PKI with a 3 level hierarchy:
it-master-class1(self-signed) -> it-ca-class2 -> it-ca-class3.

it-ca-class3 signed our radius server (radiux-pkiit-2008.pem)
In eap.conf file in the tls section I have
tls {
 private_key_password = secret
 private_key_file = ${certdir}/radiux-pkiit-2008.key.pass.pem
 certificate_file = ${certdir}/radiux-pkiit-2008.pem
 CA_file = ${certdir}/ca-chain-institut-telecom_long.crt
}
unfortunaltly, securew2 windows clients configure to check certificates 
and having it-master-class1 in it's CA list don't accept our TLS 
security :-( . It tells that it received a bad certificate from the 
server !?.

I wonder if I didn't made a misconfiguration in  radiusd/eap/tls section 
above .
certificate_file point to our radius SSL-server certificate 
CN=radius.it-sudparis.eu
but what the CA_file should point what in our case ? the 
it-master-class1 CA root certificate ? the it-ca-class3 CA which signed 
our radius server ? a bundle of the 3 CA (as it is now !) ? , in which 
order class1-2-3 ? class 3-2-1 ? in pem ? , der ?  short  or  long  CA 
files (by these  I mean  only what is between --BEGIN CERTIFICATE-- and 
--END CERTIFICATE-- or plus  the "blabla" above ) ?.
Perhaps only certificate_file = ${certdir}/radiux-pkiit-2008.pem could 
be used, but in that case radiux-pkiit-2008.pem should contain the 
radius server certificate + a bundle of the 3 CA, in which order ? short 
or long ? ...

You see I have lots of possibilities and interogation !.

I'am much more used to configure SSL in apache ssl.conf, to me it is 
clear as the directive are self explained :
SSLCertificateFile /etc/pki/tls/certs/server-2008.pem
SSLCertificateKeyFile /etc/pki/tls/private/server-2008.key
SSLCertificateChainFile /etc/pki/tls/certs/ca-chain-institut-telecom.crt
SSLCACertificateFile /etc/pki/tls/certs/itrootca-class1.crt
in eap.conf I don't see any distinction between the httpd equivalents : 
SSLCertificateChainFile and SSLCACertificateFile
I also use openssl s-client to test my servers certs setting
openssl s_client -host mutuel.it-sudparis.eu  -port 443
But I cannot do the same for radius ?  openssl s_client -host 
radius.it-sudparis.eu  -port 1812  => socket: Connection refused :-( .

Thanks for your help .

More information about the Freeradius-Users mailing list