FreeRADIUS EAP-TLS and SSL certificate chains

Meyers, Dan d.meyers at
Fri Feb 13 18:11:20 CET 2009

I'm sure I must just be being thick with our FreeRADIUS config, but i've
completed failed to find anything online or in the docs explaining
*what* i'm doing wrong, so i'm posting here.

We've had a FreeRADIUS server set up for some time now, with an SSL
certificate directly signed by one of Verisign's root CA's, for the
purposes of doing EAP-TLS domain auth. This worked fine on both
FreeRADIUS 1.1.7 and 2.0.5. However our cert is due to expire in a
month, and it would appear no one issues root signed certs any more,
they're all cert chains. Obviously with things like apache this is fine,
as you install the chain bundle file at the same time as your actual
cert, and the chain gets passed to the client, who follows it to a root
CA they do already trust. I'm having trouble working out how to do this
with FreeRADIUS however. All the info I can find suggests that if I edit
my certificate file so that it contains multiple certs, from least
trusted at the top (my server cert) down the chain and file to the one
which has been signed by a root CA the user's machine will already
trust, then machines will follow the chain as expected and accept the
certificate. However if I do this, and have a chain file of the same
format as I use successfully on the web server (i.e. multiple BEGIN and
END blocks with a single cert between each pair), then my client
machines still fail to pick up the chain, and thus can't validate the

Am I missing something blindingly obvious with regards to how to do
certificate chains in FreeRADIUS? If so, please tell me what.


Dan Meyers
Network Specialist, Lancaster University
E-Mail: d.meyers at

More information about the Freeradius-Users mailing list