EAP TLS against multiple certificates?
David Hartburn
D.J.Hartburn at kent.ac.uk
Fri Mar 31 13:02:19 CEST 2017
Hi,
Is it possible to check EAP-TLS against multiple certificate chains, or
bundle two chains together into the same pem file?
We have a potential problem where all our certificate auth laptops have
been using SHA1 for quite some time. Recently we upgraded our
certificate authority to SHA256, so any laptops that request a new cert
will get a SHA256.
If I put a SHA256 root chain certificate in the EAP-TLS config then a
SHA256 client can authenticate, but naturally SHA1 can not. If I leave
the SHA1 root chain on the server, then the newer SHA256 clients can not
authenticate.
I am worried that one day I will come in to find half the clients have
renewed to a SHA256 and can no longer auth. Is there anything I can do
to allow both certificate types to authenticate during this transition
period?
In terms of config, in mods-enabled/eap, I have
tls-config loanlaptops {
private_key_file = ${confdir}/certs/loan_laptop_server.pem
certificate_file = ${confdir}/certs/loan_laptop_server.pem
ca_file = ${confdir}/certs/unikentrootCAchain.pem
......
}
tls {
# Point to the Loan Laptops TLS configuration
tls = loanlaptops
virtual_server = check-eap-tls
}
Yours
Dave Hartburn
More information about the Freeradius-Users
mailing list