HowTo: eap-tls with crl and two level CA certificate
Ivan Kalik
tnt at kalik.net
Fri Aug 28 10:40:36 CEST 2009
> My freeradius version is 2.1.1. When I config eap-tls with crl and one
> level root certificate,it's work normally. But when the ca is two level,
> the
> root ca is for signing the second level CA certificate , and the second
> level CA is for signing user certificates and crls.It's mean the root ca
> certificate is self-signed,but the second level ca certificate is not .How
> can I config ? I got the error message below:
> [tls] eaptls_verify returned 11
> [tls] <<< TLS 1.0 Handshake [length 0477], Certificate
> --> verify error:num=3:unable to get certificate CRL
> [tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
> TLS Alert write:fatal:unknown CA
> TLS_accept:error in SSLv3 read client certificate B
> rlm_eap: SSL error error:140890B2:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
This means that you haven't imported the bundle onto the client.
> # Trusted Root CA list
> #
> # ALL of the CA's in this list will be trusted
> # to issue client certificates for authentication.
> #
> # In general, you should use self-signed
> # certificates for 802.1x (EAP) authentication.
> # In that case, this CA file should contain
> # *one* CA certificate.
> #
> # This parameter is used only for EAP-TLS,
> # when you issue client certificates. If you do
> # not use client certificates, and you do not want
> # to permit EAP-TLS authentication, then delete
> # this configuration item.
> CA_file = ${cadir}/ca.pem
ca.pem should also contain a certificate bundle.
Ivan Kalik
Kalik Informatika ISP
More information about the Freeradius-Users
mailing list