EAP TLS against multiple certificates?

David Hartburn D.J.Hartburn at kent.ac.uk
Fri Mar 31 13:02:19 CEST 2017


Is it possible to check EAP-TLS against multiple certificate chains, or 
bundle two chains together into the same pem file?

We have a potential problem where all our certificate auth laptops have 
been using SHA1 for quite some time. Recently we upgraded our 
certificate authority to SHA256, so any laptops that request a new cert 
will get a SHA256.

If I put a SHA256 root chain certificate in the EAP-TLS config then a 
SHA256 client can authenticate, but naturally SHA1 can not. If I leave 
the SHA1 root chain on the server, then the newer SHA256 clients can not 

I am worried that one day I will come in to find half the clients have 
renewed to a SHA256 and can no longer auth. Is there anything I can do 
to allow both certificate types to authenticate during this transition 

In terms of config, in mods-enabled/eap, I have
	tls-config loanlaptops {
		private_key_file = ${confdir}/certs/loan_laptop_server.pem
		certificate_file = ${confdir}/certs/loan_laptop_server.pem
		ca_file = ${confdir}/certs/unikentrootCAchain.pem


	tls {
		# Point to the Loan Laptops TLS configuration
		tls = loanlaptops
		virtual_server = check-eap-tls


Dave Hartburn

More information about the Freeradius-Users mailing list