FreeRADIUS EAP-TLS and SSL certificate chains
Matt Causey
matt.causey at gmail.com
Sun Feb 15 16:00:41 CET 2009
Remember when you put your Root CA file (and perhaps the CRL for that
CA) into your certificate directory, and ran 'c_rehash <cert
directory>'?
Well - it's just like that. You might have had RootCA.pem with the
Verisign CA certificate. Personally - I like to have a separate file
for each intermediate CA certificate in the chain.
When you think you are done - you can test the validity of your new
certificate like this:
openssl verify -crl_check -CApath <certificate path>
/path/to/certificate-file/server.pem.cert
Hope this helps. Give it a go and let us know if you have any problems.
--
Matt
On Fri, Feb 13, 2009 at 12:11 PM, Meyers, Dan <d.meyers at lancaster.ac.uk> wrote:
> I'm sure I must just be being thick with our FreeRADIUS config, but i've
> completed failed to find anything online or in the docs explaining
> *what* i'm doing wrong, so i'm posting here.
>
> We've had a FreeRADIUS server set up for some time now, with an SSL
> certificate directly signed by one of Verisign's root CA's, for the
> purposes of doing EAP-TLS domain auth. This worked fine on both
> FreeRADIUS 1.1.7 and 2.0.5. However our cert is due to expire in a
> month, and it would appear no one issues root signed certs any more,
> they're all cert chains. Obviously with things like apache this is fine,
> as you install the chain bundle file at the same time as your actual
> cert, and the chain gets passed to the client, who follows it to a root
> CA they do already trust. I'm having trouble working out how to do this
> with FreeRADIUS however. All the info I can find suggests that if I edit
> my certificate file so that it contains multiple certs, from least
> trusted at the top (my server cert) down the chain and file to the one
> which has been signed by a root CA the user's machine will already
> trust, then machines will follow the chain as expected and accept the
> certificate. However if I do this, and have a chain file of the same
> format as I use successfully on the web server (i.e. multiple BEGIN and
> END blocks with a single cert between each pair), then my client
> machines still fail to pick up the chain, and thus can't validate the
> certificate.
>
> Am I missing something blindingly obvious with regards to how to do
> certificate chains in FreeRADIUS? If so, please tell me what.
>
> Thanks
>
> --
> Dan Meyers
> Network Specialist, Lancaster University
> E-Mail: d.meyers at lancaster.ac.uk
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list