About the file pointed at by setting "certificate_file"

Axel Luttgens axel.luttgens at skynet.be
Mon Sep 8 14:09:18 CEST 2014


Currently, I have in raddb/mods-available/eap the equivalent of:

	tls-config tls-common {
		private_key_password = whatever
		private_key_file = /path/to/my_server_key.pem

		#  If Private key & Certificate are located in
		#  the same file, then private_key_file &
		#  certificate_file must contain the same file
		#  name.
		#  If ca_file (below) is not used, then the
		#  certificate_file below MUST include not
		#  only the server certificate, but ALSO all
		#  of the CA certificates used to sign the
		#  server certificate.
		certificate_file = /path/to/my_server_cert.pem

		#  Trusted Root CA list
		#  ALL of the CA's in this list will be trusted
		#  to issue client certificates for authentication.
		#  In general, you should use self-signed
		#  certificates for 802.1x (EAP) authentication.
		#  In that case, this CA file should contain
		#  *one* CA certificate.
		#  This parameter is used only for EAP-TLS,
		#  when you issue client certificates.  If you do
		#  not use client certificates, and you do not want
		#  to permit EAP-TLS authentication, then delete
		#  this configuration item.
		ca_file = /path/to/my_root_ca_cert.pem

where the server's certificate (my_server_cert.pem) has been signed with the help of an ad hoc root CA (whose certificate is my_root_ca_cert.pem).

It "works", in the sense that a client connecting thru TTLS receives both certificates, which is exactly what I want. :-)

Now, it is true that I currently don't implement TLS.

Putting above comments together, it seems that I could thus comment out the "ca_file = ..." line,
and merge both certificates, my_server_cert.pem and my_root_ca_cert.pem, into a single file, say "my_combined_certs". And then define:

		certificate_file = /path/to/my_combined_certs

What format(s) is (are) allowed by FR for that file "my_combined_certs"?
Would a simple cat of the two certificates (currently in PEM format) be sufficient?


More information about the Freeradius-Users mailing list