WPA Enterprise Certificate renewal for FreeRadius

Mike Diggins mike.diggins at mcmaster.ca
Mon Jan 9 20:26:48 CET 2012

On Mon, 9 Jan 2012, Phil Mayers wrote:

> On 09/01/12 17:42, Mike Diggins wrote:
>> I use a Thawte Premium Server CA for my WPA2 Enterprise freeradius
>> authentication certificate currently. My eap.conf 'certificate file'
>> contains the certificate only, not the root and/or intermediates. That
>> seems to be ok, since most clients already have the Thawte Root
>> certificate installed.
>> I renewed the new certificate just recently and discovered that Thawte
>> is no longer issuing certificates under the old root so my clients will
>> likely be asked to trust the new certificate when I install it. All my
>> documentation changes as well but that's another story.
>> My question is, what is the value of adding the roots/intermediates to
>> the certificate file i.e certificate_file = ${certdir}/certificate.crt?
>> Does it really allow a client without the Root already installed to
>> verify this certificate?
> Most clients:
> 1. Have all the common "top-level" CAs installed
> 2. May or may not have the intermediate CAs
> We put the server & intermediate certs (NOT the top-level) into the cert 
> file, and in our experience this lets all clients (Windows, MacOS, iOS, 
> Android) connect without errors.
> I believe that, if the client really does lack the top-level CA, you're 
> screwed. You will have to manually install at least the top-level cert, 
> except on MacOS (and possibly iOS, but not sure).
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html

Do the certificates need to be listed in any particular order in the 


More information about the Freeradius-Users mailing list