Can I use two or more freeradius server certificates for the same virtual site?
Alan DeKok
aland at deployingradius.com
Thu Nov 1 15:08:00 CET 2018
On Nov 1, 2018, at 9:52 AM, work vlpl <thework.vlpl at gmail.com> wrote:
> Yes, I know about it. But in my case I can not issue new server
> certificate from the same CA. That CA was bought by other CA, and now
> new certificates are signed with different root certificate.
Ugh. That's not nice.
> This
> cause some problems. Clients that verify server certificate using CA
> certificate that stored in radius configuration, now has broken trust
> chain.
The problem is that TLS doesn't really allow for what you want. When EAP-TLS (or PEAP or TTLS) starts up, there's no way for the client to signal which CA root it wants.
Instead, what happens is this (roughly speaking)
client: let's do TLS!
server: Sure, here's my CA and server cert!
client: Uh... not what I wanted, goodbye!
The only way to signal which CA you want is by some other method. i.e. changing the outer identities, as Christian suggested.
Or, you could have a list of which systems (i.e. MAC address) use which certificates. And then do:
if (system is in group 1) {
eap with old Ca cert
}
else {
eap with new CA cert
}
There aren't really many other options. TLS 1.3 is supposed to fix that, I think, but it's a long way from wide-spread use.
Alan DeKok.
More information about the Freeradius-Users
mailing list