Can I use two or more freeradius server certificates for the same virtual site?

work vlpl thework.vlpl at gmail.com
Thu Nov 1 14:52:44 CET 2018


On Thu, 1 Nov 2018 at 18:57, Alan DeKok <aland at deployingradius.com> wrote:

> Which certificate do you mean?  The client trusts the CA cert.  The server cert is derived from that.

The server certificate, that configured by option `certificate_file`
in `tls-config tls-common` section (eap module)

> If you're using the same CA cert, just change the server certificate.  All clients should accept the new server certificate automatically.

Yes, I know about it. But in my case I can not issue new server
certificate from the same CA. That CA was bought by other CA, and now
new certificates are signed with different root certificate. This
cause some problems. Clients that verify server certificate using CA
certificate that stored in radius configuration, now has broken trust
chain.

The idea of using two certificates aims to avoid similar problems in the future.

> Not really in the way that you're asking.  Because it shouldn't be necessary.

Ok, I got it.
Thank you very much for your answers.

--
Vladimir


More information about the Freeradius-Users mailing list