FreeRADIUS EAP-TLS and SSL certificate chains

Matt Causey matt.causey at
Sun Feb 15 16:00:41 CET 2009

Remember when you put your Root CA file (and perhaps the CRL for that
CA) into your certificate directory, and ran 'c_rehash <cert

Well - it's just like that.  You might have had RootCA.pem with the
Verisign CA certificate.  Personally - I like to have a separate file
for each intermediate CA certificate in the chain.

When you think you are done - you can test the validity of your new
certificate like this:

openssl verify -crl_check -CApath <certificate path>

Hope this helps.  Give it a go and let us know if you have any problems.


On Fri, Feb 13, 2009 at 12:11 PM, Meyers, Dan <d.meyers at> wrote:
> I'm sure I must just be being thick with our FreeRADIUS config, but i've
> completed failed to find anything online or in the docs explaining
> *what* i'm doing wrong, so i'm posting here.
> We've had a FreeRADIUS server set up for some time now, with an SSL
> certificate directly signed by one of Verisign's root CA's, for the
> purposes of doing EAP-TLS domain auth. This worked fine on both
> FreeRADIUS 1.1.7 and 2.0.5. However our cert is due to expire in a
> month, and it would appear no one issues root signed certs any more,
> they're all cert chains. Obviously with things like apache this is fine,
> as you install the chain bundle file at the same time as your actual
> cert, and the chain gets passed to the client, who follows it to a root
> CA they do already trust. I'm having trouble working out how to do this
> with FreeRADIUS however. All the info I can find suggests that if I edit
> my certificate file so that it contains multiple certs, from least
> trusted at the top (my server cert) down the chain and file to the one
> which has been signed by a root CA the user's machine will already
> trust, then machines will follow the chain as expected and accept the
> certificate. However if I do this, and have a chain file of the same
> format as I use successfully on the web server (i.e. multiple BEGIN and
> END blocks with a single cert between each pair), then my client
> machines still fail to pick up the chain, and thus can't validate the
> certificate.
> Am I missing something blindingly obvious with regards to how to do
> certificate chains in FreeRADIUS? If so, please tell me what.
> Thanks
> --
> Dan Meyers
> Network Specialist, Lancaster University
> E-Mail: d.meyers at
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list