WPA Enterprise Certificate renewal for FreeRadius

[Sven Hartge]

Mike Diggins <mike.diggins at mcmaster.ca> wrote:

> I use a Thawte Premium Server CA for my WPA2 Enterprise freeradius
> authentication certificate currently. My eap.conf 'certificate file'
> contains the certificate only, not the root and/or intermediates. That
> seems to be ok, since most clients already have the Thawte Root
> certificate installed.

> I renewed the new certificate just recently and discovered that Thawte
> is no longer issuing certificates under the old root so my clients
> will likely be asked to trust the new certificate when I install it.
> All my documentation changes as well but that's another story.

> My question is, what is the value of adding the roots/intermediates to
> the certificate file i.e certificate_file =
> ${certdir}/certificate.crt? Does it really allow a client without the
> Root already installed to verify this certificate?

No, if the client does not know/trust the root certificate, it will not
work/ask the user.

But it will help if the client only includes the root but not any
intermediate certificates.

So it is a good idea to append intermediate and root certificates (i.e.
the whole chain to the root) to your server certificate.

Grüße,
Sven.

-- 
Sigmentation fault. Core dumped.