EAP-TLS cert validation with intermediate cert

Alan DeKok aland at deployingradius.com
Wed Sep 26 21:31:33 CEST 2018

On Sep 26, 2018, at 3:09 PM, Zetan Drableg <zetan.drableg at gmail.com> wrote:
> In /etc/raddb/mods-enabled/eap
> client = "/usr/bin/openssl verify -CApath ${..ca_path}
> %{TLS-Client-Cert-Filename}"
> Wpa_supplicant is sending a client certificate that is the client +
> intermediate certificate concatenated. However freeradius only gets the
> client certificate in TLS-Client-Cert-Filename and openssl fails
> validation. I checked this by changing the client = verify command to copy
> the certificate to /var/tmp so I could look at it.

  Yes.  Only the client certificate is written to that file.

> I can verify the cert using
> openssl verify -CAfile ca.pem -untrusted intermediate.pem client.pem
> but the intermediate is not available to the radius server, or from the
> received cert chain from the client. I think freeradius should be receiving
> client+intermediate certs from wpa_client, but it's not.

  It is receiving both certs, but it's only writing the client cert to the file.

> Is there another Filename variable containing the intermediate?

  No.  If there was one, it would be documented.

> Why is freeradius truncating the cert to only the client and removing the
> intermediate?

  It's not truncating the cert.  It's not removing the intermediate.

  It's writing (as per the documentation) the client cert to the file.  It doesn't write the intermediate cert to the file.

  The short solution is to ensure that the intermediate certs are *already* available in the certificate store used by FreeRADIUS.

  Alan DeKok.

More information about the Freeradius-Users mailing list