Make the server certificate from Thawte

Alexey Shildyakov ashl1future at
Thu Jul 7 01:35:00 CEST 2011

> nope.
> for private key you need your private key - the one that you made before
> making the CSR for thawte

Yes. Thank you. I was confused because in default FreeRADIUS has
"${raddbdir}/certs/cert-srv.pem" value here.
> for certificate file you need the trialThawte file
> then for CA file you need a file that contains the Server Intermediate CA and Thawte Test CA Root
> concatenated together
> if you use passwords for the private key then you will
> have one

Yes. It's true.

Summing up, what the algorithm to configure certificate from Trusted CA:

1. cd /etc/raddb/certs
2. openssl genrsa –des3 –out server.key 2048. Remember the passphrase,
you have been entered.
3. openssl req –new –key server.key –out server.csr. Write suitable
X.509 attributes.
4. Upload server.csr to your CA (Thawte, Verisign, GeoTrust)
5. Receive SSL certificate, Secure Server Intermediate CA and CA Root
certificate from Trusted CA.
6. Write received SSL certificate to file "server.pem"
7. Write received Secure Server Intermediate CA and CA Root
certificates concatenated together to file "ca.pem"
8. Set the eap.conf tls section:
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = passphrase_you_entered_while_creating_server.key
private_key_file = ${certdir}/server.key
CA_file = ${cadir}/ca.pem

Is it possible to add this instruction to certs/README to avoid this
topic emerge again?
Best Regards, Shildyakov Alexey Vladimirovich

More information about the Freeradius-Users mailing list