Using an external CA certificate

Matt Langthorpe matt.langthorpe at pmb.ox.ac.uk
Thu Mar 3 12:28:18 CET 2011 

Thanks Alex, 
that was spot on and fixed the issue, much appreciated.


-----Original Message-----
From: freeradius-users-bounces+matt.langthorpe=pmb.ox.ac.uk at lists.freeradius.org [mailto:freeradius-users-bounces+matt.langthorpe=pmb.ox.ac.uk at lists.freeradius.org] On Behalf Of Alexander Clouter
Sent: 01 March 2011 13:30
To: freeradius-users at lists.freeradius.org
Subject: Re: Using an external CA certificate

Matt Langthorpe <matt.langthorpe at pmb.ox.ac.uk> wrote:
>
> Having a bit of trouble following the official freeradius wiki when it 
> comes to certificates.  Basically I have my own certificate which I 
> want to use.  I have a ***.crt file which was sent by my issuer, and a 
> private.pem file which was created when I made my CSR request using 
> openssl.
>
----
alex at chipmunk:~$ unzip 10133697.zip
Archive:  10133697.zip
 extracting: 10133697.ca-bundle
 extracting: 10133697.crt

alex at chipmunk:~$ cat 10133697.crt 10133697.ca-bundle > server.pem
----

The infernal folks at Comodo seemed to have changed their process recently so that you get the bundle, the old style approach was:
----
$ cat 10133697.crt TERENASSLCA.crt UTNAddTrustServer_CA.crt AddTrustExternalCARoot.crt > server.pem
----

Now in your 'eap.conf' file use the following and you should be set:
----
private_key_password = secret
private_key_file = ${certdir}/server.key certificate_file = ${certdir}/server.pem
---- 

FYI, if you have to do a similar thing with Apache, you want:
----
SSLEngine               on
SSLCertificateFile      /etc/apache2/certs/example/10133697.crt
SSLCertificateKeyFile   /etc/apache2/certs/example/privkey.pem
SSLCertificateChainFile /etc/apache2/certs/example/10133697.ca-bundle
----

> I have uploaded the two files into my raddb/certs folder, but am 
> unsure as to where to point to them in my eap.conf? I notice none of 
> the cert files listed in eap.conf have a *.crt extension which is a 
> bit confusing.
>
This is UNIX, file extensions are generally meaningless and should be ignored.

Cheers

--
Alexander Clouter
.sigmonster says: I think the world is run by C students.
                  		-- Al McGuire

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list