Trusted CA, Signed Certs and Verification

[Sam Fakhreddine]

>how to fix?  you need to ensure that the RADIUS server hands out not only ITS cert,
>but also the intermediates... so just concatenate the intermediates and the RADIUS cert into one single file a
>send that out (configure that in the eap.conf file) instead. the client will receive the
> intermediates..which it can link against the known/trusted CA...and the RADIUS cert which is can link to the intermediates.

Thank you for your reply Alan,

I have concatenated all the files together in every possible configuration I can think of.

Currently what I have is:

private_key_file = ${certdir}/lcajra1.key
certificate_file = ${certdir}/server.int.root.pem

Inside of that Certificate file is: the server certificate, the intermediate certificate and the Trusted root, all that I got from Digicert.

When I run radius -X everything works normally and the config file loads those files, and yet I still get "server identity cannot be verified" even though the entire chain is available there. 

I can verify with openssl verify that my certificate and my chain are OK

[root at lcajra1 certs]# openssl verify -CAfile server.int.root.pem -verbose lcajra1_ledcor_net.crt
lcajra1_ledcor_net.crt: OK
[root at lcajra1 certs]# openssl verify -CAfile server.int.root.pem -verbose server.int.root.pem
server.int.root.pem: OK