FreeRADIUS EAP-TLS and SSL certificate chains

Meyers, Dan d.meyers at
Tue Feb 17 16:45:31 CET 2009

> Remember when you put your Root CA file (and perhaps the CRL for that
> CA) into your certificate directory, and ran 'c_rehash <cert
> directory>'?

If you mean when I installed ssl certs for Apache, I never did this. I
simply put the server cert and the chain file on the server, then
configured mod_ssl with 2 required parameters - CertificateFile and
CertificateChainFile. No (re)hashing was required.

> Well - it's just like that.  You might have had RootCA.pem with the
> Verisign CA certificate.  Personally - I like to have a separate file
> for each intermediate CA certificate in the chain.

What i've got currently can be up to 3 files. Firstly, the server
certificate itself, which has been signed by Verisign's Intermediate CA,
then the cert for said Intermediate CA, and finally the root cert used
to sign the Intermediate CA. My current setup is with the server cert in
a file on it's own (jrs-radius02.pem is the cert, jrs-radius02.key is
the keyfile), and the intermediate and root certs in the same file
(verisign.pem. Intermediate cert at the top, root cert at the bottom). I
then have the following config lines in the tls section of eap.conf for
FreeRADIUS to reference these files:

private_key_file = ${certdir}/jrs-radius02/jrs-radius02.key
certificate_file = ${certdir}/jrs-radius02/jrs-radius02.pem
CA_file = ${certdir}/jrs-radius02/verisign.pem

> When you think you are done - you can test the validity of your new
> certificate like this:
> openssl verify -crl_check -CApath <certificate path>
> /path/to/certificate-file/server.pem.cert

I've actually dropped the -crl_check from this test, as i'm not doing
crl checking within FreeRADIUS until i've got it working without it.
Also, this command didn't seem to work when my verisign.pem contained >
1 cert, even after a c_rehash, it only worked if all the certs were in
individual files:

jrs-radius02:/etc/freeradius/certs/jrs_radius02# openssl verify -CApath
. jrs-radius02.pem
jrs-radius02.pem: OK

As such, I also tried commenting out CA_file in eap.conf and instead

CA_path = ${certdir}/jrs-radius02/
With all my certs in individual files, but that gave the same behaviour,
i.e. that on my client it shows me the certificate it got passed, for
the jrs-radius02 server, but it doesn't have a certificate chain back to
a known trusted root.

> Hope this helps.  Give it a go and let us know if you have any

This still appears to be failing to pass the certificate chain. The root
cert *definitely* exists on my test client (I extracted it from there
and diffed it with the one on the server). If I install the intermediate
cert on the client, then everything works fine (but I don't want to have
to try and get my users to understand the process of installing a cert
before getting online). However when Windows XP prompts me to accept the
certificate FreeRADIUS is handing out it doesn't have any chain listed
at all, so I assume is still not being handed that Intermediate cert.

Thanks very much for the help so far. Any more would be greatly
appreciated. I can attach full config files if you think that would be

> On Fri, Feb 13, 2009 at 12:11 PM, Meyers, Dan
> <d.meyers at> wrote:
> > I'm sure I must just be being thick with our FreeRADIUS config, but
> i've
> > completed failed to find anything online or in the docs explaining
> > *what* i'm doing wrong, so i'm posting here.
> >
> > We've had a FreeRADIUS server set up for some time now, with an SSL
> > certificate directly signed by one of Verisign's root CA's, for the
> > purposes of doing EAP-TLS domain auth. This worked fine on both
> > FreeRADIUS 1.1.7 and 2.0.5. However our cert is due to expire in a
> > month, and it would appear no one issues root signed certs any more,
> > they're all cert chains. Obviously with things like apache this is
> fine,
> > as you install the chain bundle file at the same time as your actual
> > cert, and the chain gets passed to the client, who follows it to a
> root
> > CA they do already trust. I'm having trouble working out how to do
> this
> > with FreeRADIUS however. All the info I can find suggests that if I
> edit
> > my certificate file so that it contains multiple certs, from least
> > trusted at the top (my server cert) down the chain and file to the
> one
> > which has been signed by a root CA the user's machine will already
> > trust, then machines will follow the chain as expected and accept
> > certificate. However if I do this, and have a chain file of the same
> > format as I use successfully on the web server (i.e. multiple BEGIN
> and
> > END blocks with a single cert between each pair), then my client
> > machines still fail to pick up the chain, and thus can't validate
> > certificate.
> >
> > Am I missing something blindingly obvious with regards to how to do
> > certificate chains in FreeRADIUS? If so, please tell me what.
> >
> > Thanks

More information about the Freeradius-Users mailing list