WPA Enterprise Certificate renewal for FreeRadius

Phil Mayers p.mayers at imperial.ac.uk
Mon Jan 9 19:03:52 CET 2012

On 09/01/12 17:42, Mike Diggins wrote:
> I use a Thawte Premium Server CA for my WPA2 Enterprise freeradius
> authentication certificate currently. My eap.conf 'certificate file'
> contains the certificate only, not the root and/or intermediates. That
> seems to be ok, since most clients already have the Thawte Root
> certificate installed.
> I renewed the new certificate just recently and discovered that Thawte
> is no longer issuing certificates under the old root so my clients will
> likely be asked to trust the new certificate when I install it. All my
> documentation changes as well but that's another story.
> My question is, what is the value of adding the roots/intermediates to
> the certificate file i.e certificate_file = ${certdir}/certificate.crt?
> Does it really allow a client without the Root already installed to
> verify this certificate?

Most clients:

  1. Have all the common "top-level" CAs installed
  2. May or may not have the intermediate CAs

We put the server & intermediate certs (NOT the top-level) into the cert 
file, and in our experience this lets all clients (Windows, MacOS, iOS, 
Android) connect without errors.

I believe that, if the client really does lack the top-level CA, you're 
screwed. You will have to manually install at least the top-level cert, 
except on MacOS (and possibly iOS, but not sure).

More information about the Freeradius-Users mailing list