FreeRADIUS EAP-TLS and SSL certificate chains

tnt at kalik.net tnt at kalik.net
Tue Feb 17 17:14:06 CET 2009


>What i've got currently can be up to 3 files. Firstly, the server
>certificate itself, which has been signed by Verisign's Intermediate CA,
>then the cert for said Intermediate CA, and finally the root cert used
>to sign the Intermediate CA. My current setup is with the server cert in
>a file on it's own (jrs-radius02.pem is the cert, jrs-radius02.key is
>the keyfile), and the intermediate and root certs in the same file
>(verisign.pem. Intermediate cert at the top, root cert at the bottom). I
>then have the following config lines in the tls section of eap.conf for
>FreeRADIUS to reference these files:
>
>private_key_file = ${certdir}/jrs-radius02/jrs-radius02.key
>certificate_file = ${certdir}/jrs-radius02/jrs-radius02.pem
>CA_file = ${certdir}/jrs-radius02/verisign.pem
>
>> When you think you are done - you can test the validity of your new
>> certificate like this:
>>
>> openssl verify -crl_check -CApath <certificate path>
>> /path/to/certificate-file/server.pem.cert
>
>I've actually dropped the -crl_check from this test, as i'm not doing
>crl checking within FreeRADIUS until i've got it working without it.
>Also, this command didn't seem to work when my verisign.pem contained >
>1 cert, even after a c_rehash, it only worked if all the certs were in
>individual files:
>
>jrs-radius02:/etc/freeradius/certs/jrs_radius02# openssl verify -CApath
>.. jrs-radius02.pem
>jrs-radius02.pem: OK
>

What?

openssl verify -CAfile verisign.pem jrs-radius02.pem

isn't working? Then something is wrong with your chain file. Check that
you are using the correct root certificate and cat certificates again in
a new bundle.

Ivan Kalik
Kalik Informatika ISP




More information about the Freeradius-Users mailing list