eap ttls certificate config
Jehan PROCACCIA
Jehan.Procaccia at it-sudparis.eu
Tue Sep 30 12:35:44 CEST 2008
hello,
I try to configure my freeradius-2.0.3-3.el5 to read our certicate chain
with no success :-( .
neither CA_file or CA_path directives works as expected in eap.conf .
here's my config:
/etc/raddb/eap.conf
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs/CA
private_key_password = secret
private_key_file = ${certdir}/radiux-pkiit-2008.key.pass.pem
certificate_file = ${certdir}/radiux-pkiit-2008.pem
CA_file = ${certdir}/pki-chain.pem
#CA_path = ${cadir}/
pki-chain.pem contain the concatenation of our 3 level pki hierarchy
( cat itClass1.crt > pki-chain.pem ; cat itClass2.crt >> pki-chain.pem ;
cat itClass3.crt >> pki-chain.pem )
itClass1.crt is self-signed, it signed class2 , then class2 signed
class3 CA and finnaly class3 signed radiux-pkiit-2008.pem SSL server .
Then, how can I tell freeradius to load that pki-chain.pem ?
setting it in CA_file doesn't seem to work, as clients with itClass1.crt
loaded cannot negociate TLS handshake with the freeradius server :-(
Using the CA_path directive with a certs/CA directory containing the 3
classes certificate in PEM format + a hash on them ,
generate a segmentation fault on the start of radiusd :-( .
is CA_path deprecated ? how should the certificate and hash in that
CA_path should be presented ? I heard about C_rehash but cannot find it.
Please let me know how to tell radiusd/eap to load my self signed 3
level hierarchy pki .
Thanks.
More information about the Freeradius-Users
mailing list