FreeRADIUS EAP-TLS and SSL certificate chains

Meyers, Dan d.meyers at
Fri Feb 20 10:57:26 CET 2009

> >Googling suggested that simply catting the 2 certs (server and
> >intermediate) into a single file (server at top, intermediate at
> bottom)
> >and listing that in the config as the certificate_file should work
> No, that's not going to work. Client machine will still look for the
> intermediate CA in it's store and not in that bundle.

So there is no way at all to get the client to pick up the cert chain
without directly installing the intermediate cert on it? Is this
actually a client issue of it refusing to use chains for this then,
rather than a FreeRADIUS issue of it not passing the chain?

Thanks very much for all your help. This only came up because Verisign
have stopped issuing directly root-signed certs, as have the other major
cert authorities, it would seem. Our previous cert was directly root
signed, and thus worked fine. I (possibly foolishly) assumed that if all
the major CAs were shifting to chained certs for everything that the
majority of clients using ssl supported them as well.


More information about the Freeradius-Users mailing list