Installing Third Part Certificate on FreeRadius

Jacob Dawson dawson at vt.edu
Tue Dec 27 20:44:22 CET 2011


The extra info outside of the 'BEGIN CERTIFICATE' and 'END CERTIFICATE' lines is just extra, informative stuff you can get openssl to generate for you when you put together your file.

On further reflection, I believe I was mistaken.  Looks like we stuff all the useful-to-freeradius certs in ca.pem (our server ca, our network access CA that signs all the certificates clients use to connect via TLS, etc), while the .crt file is where we put the actual service certificate and its pedigree.  Makes sense, because I had some headaches learning about how FR varies in the way its cert is put together, namely, while I was handed the certificate and its chain in two separate files, like we use on some of our web servers, I had to cat them into a single cert file for FR, as opposed to stuffing the cert chain into ca.pem.

Good learning experience.
- Jacob
On 27 Dec 2011, at 14:16, McSparin, Joe wrote:

> I notice that the existing server.pem file contains the locality and
> organization name and so forth along with a local key id before it lists
> the cert chain.  Is there something I need to do to generate this? 
> 
> 
> Joseph R. McSparin
> Network Administrator
> Hill Country Memorial Hospital
> 830 990 6638 phone
> 830 990 6623 fax
> jmcsparin at hillcountrymemorial.org
> 
> -----Original Message-----
> From:
> freeradius-users-bounces+jmcsparin=hillcountrymemorial.org at lists.freerad
> ius.org
> [mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial.org at lists
> .freeradius.org] On Behalf Of Jacob Dawson
> Sent: Tuesday, December 27, 2011 12:41 PM
> To: FreeRadius users mailing list
> Subject: Re: Installing Third Part Certificate on FreeRadius
> 
> Yup, there's a difference.  You'll want to put the cert chain in the pem
> file so that it's available for clients when you present your cert for
> the first time.  Just put the cert all by itself in the crt file.
> 
> I'm about to go swap them out on our systems, so I'll review to see if
> there was anything else odd about it.
> 
> Jacob M. Dawson
> Network Research Engineer
> Virginia Tech
> 
> On 27 Dec 2011, at 12:41, McSparin, Joe wrote:
> 
>> I have a certificate called AddTrustExternalCARoot.crt that I would
> like to have FreeRadius start using.  I know I need to change the
> eap.conf to look at the new cert however I was noticing that when the
> test certificates are created there is both a server.crt and server.pem.
> Is there a difference and do I need to do something to create a
> AddTrustExternalCARoot.pem file.
>> 
>> Thanks,
>> 
>> Joseph R. McSparin
>> Network Administrator
>> Hill Country Memorial Hospital
>> 830 990 6638 phone
>> 830 990 6623 fax
>> jmcsparin at hillcountrymemorial.org
>> 
>> 
>> This email message and any attachments are for the sole use of the
> intended recipient(s) and contain confidential and/or privileged
> information. Any unauthorized review, use, disclosure or distribution is
> prohibited. If you are not the intended recipient, please contact the
> sender by reply email and destroy all copies of the original message and
> any attachments.
>> 
>> -
>> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> -- 
> This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments.
> 
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





More information about the Freeradius-Users mailing list