Strange things with android phone
Kamil Jońca
kjonca at o2.pl
Sat Aug 22 18:11:20 CEST 2015
kjonca at o2.pl (Kamil Jońca) writes:
[...]
> I have copied new ca file to CA_path, and done c_rehash. What else
> should I do?
> BTW. excerpt from my eap.conf
> eap {
> default_eap_type = tls
> timer_expire = 60
> ignore_unknown_eap_types = no
> cisco_accounting_username_bug = no
> max_sessions = 4096
> tls {
> certdir = ${confdir}/certs
> cadir = ${confdir}/certs
> private_key_password = [.....]
> private_key_file = [....]
> certificate_file = ${confdir}/certs/wifi,beta-wifi-beta,2,1.pem
> certificate_file = ${confdir}/certs/wifi,beta-wifi-beta,2.5.pem
> dh_file = /etc/ssl/dh.pem
> random_file = /dev/urandom
> CA_path = ${cadir}
> check_cert_cn = %{User-Name}
> cipher_list = "DEFAULT"
> make_cert_command = "${certdir}/bootstrap"
>
>
> [....]
It looks like problem is in
--8<---------------cut here---------------start------------->8---
certificate_file = ${confdir}/certs/wifi,beta-wifi-beta,2,1.pem
certificate_file = ${confdir}/certs/wifi,beta-wifi-beta,2.5.pem
--8<---------------cut here---------------end--------------->8---
both of these certs are created for key from "private_key_file".
One of them is signed by one CA ("old") and second by by my new CA.
When client with cert signed by "new" CA wants connect it ends with
first file which is signed by 'wrong" CA. (As I understand)
I tried to bundle both certs into single file but with no success.
So my question is:
I have some certs for clients signed by OLD ca.
I want to "migrate" gradually migrate to "new" CA.
How can I make to use two CA's [1] and two cert file for server [2]?
KJ
[1] - it looks simple
[2] - but this not
--
http://wolnelektury.pl/wesprzyj/teraz/
Women, when they are not in love, have all the cold blood of an experienced
attorney.
-- Honor'�e de Balzac
More information about the Freeradius-Users
mailing list