radius server presenting itself as

John Dennis jdennis at redhat.com
Thu Mar 6 16:54:45 CET 2014

On 03/06/2014 10:10 AM, Morris, Andi wrote:
> However, I've just spotted that I had the same commonName for both my
> server.cnf and ca.cnf.

That's a problem and one I've see others make. Any cert whose subject
and issuer are identical is considered a self-signed cert and you won't
"chain up" to the signing CA cert. It also become ambiguous when both
certs are present. Each X509 library may handle this differently so you
may get different results depending on the implementation. The simple
answer is "don't do it", it just creates problems.

FWIW certs are disambiguated by the <subject, serial> pair, CA's are
never supposed to issue a cert with a previously used serial number. But
the issuer field in a cert only contains a subject, this is why you'll
often see the serial embedded in the subject of an issuer cert, it helps
to properly identify the correct issuer cert.


More information about the Freeradius-Users mailing list