chain certificate problem

Theral Mackey tmackey at evernote.com
Thu Nov 7 20:44:23 CET 2013


>> Concatenate your root and intermediates and use those.  Beware of using
a cert dir and the CA path as if done incorrectly then >someone could
authenticate just by having a cert signed with the same root CA as your
RADIUS server
>>
>> alan
>>
>Thank you for your answer, but it doesn't work. I don't see where you can
declarate this certificate.
>There is field CAfile, but it is related to the authentication of the
client (EAP-TLS). Furthermore, if I use this field with all the
>certificates concatenated, freeradius complains it is not readable.
>
>My question is: is it a way to deal with a chain other than load the full
chain in the client ?

This is really more of a general SSL question. The client will need to be
able to somehow follow the cert chain from the cert back through the
intermediaries to the CA. The easiest way is to concat them all into one
file, in order (shouldn't matter but some programs are picky). When doing a
cert concat, make sure you *ONLY* concat the cert itself, not the text info
that is in some certs. Remove anything that is not between the -----BEGIN
CERTIFICATE------ and -----END CERTIFICATE----- lines (the BEGIN and END
lines themselves DO need to be in the result though), openssl will
sometimes dump the cert info as text above the BEGIN line. Your eap.conf
should have CA_file and certificate_file set to tell radius which ones to
use for eap.

-T
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20131107/416a4322/attachment.html>


More information about the Freeradius-Users mailing list