Intermediate SSL certificate

Mathieu Simon mathieu.sim at gmail.com
Mon Aug 26 10:46:54 CEST 2013 

Hi Matthew

2013/8/22 Matthew Ceroni <matthewceroni at gmail.com>
>
>
> I read that for FreeRadius just combine the cert with the intermediate
> cert into one file and then reference that in eap.conf:certificate_file.
>
> I have done that but clients are still failing certificate validation.
>

Honestly I also had some hassles with the certificate chain, now we
can configure clients to check both CA as well as certificate CN.

My experience was that I had to honor the certificate order and make sure
to not include
unused intermediate certificates. That is: Don't include a full CA bundle
from your CA stay
way below the 64k limit (
http://wiki.freeradius.org/guide/Certificate%20Compatibility)

I used OpenSSL to show both subject and issuer go through the chain of
trust starting with
the server certificate, which in my case was StartCom.
You'll need to know where you can download all root and intermediate roots
from your issuing CA.

openssl x509 -noout -in mysignedservercert.pem -subject -issuer
 subject= <removed>
 issuer= /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Class 2 Primary Intermediate Server CA

After getting the Class 2 Primary Intermediate Server CA:
$ openssl x509 -noout -in sub.class2.server.ca.pem -subject -issuer
 subject= /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Class 2 Primary Intermediate Server CA
 issuer= /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Certification Authority

And finally we're up in the chain:
$ openssl x509 -noout -in ca.pem -subject -issuer
 subject= /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Certification Authority
 issuer= /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Certification Authority

# Build the cert bundle for freeradius
cat mysignedservercert.pem > myservercert-roots-bundled.pem
cat sub.class2.server.ca.pem >> myservercert-roots-bundled.pem
cat ca.pem >> myservercert-roots-bundled.pem

This resulted in an 8k file while StartSSL's CA bundle is 124k.

-- Mathieu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130826/74194f44/attachment-0001.html>

More information about the Freeradius-Users mailing list