clarification on eap configuration files and certificates

Alan DeKok aland at
Thu Jun 20 13:04:16 CEST 2019

On Jun 20, 2019, at 5:06 AM, Marco Santantonio <marco.santantonio at> wrote:
> I have one last doubt on the subject. As I said, we use certificates issued
> by a public CA (Digicert). In the certificates chain that I insert in the
> certificate_file should i also enter the root CA or, being this public and
> recognized, do I expect the clients to know it already?

  The clients should already know the root CA.  It may work if you don't put the root CA into the certificate_file.

> Does leaving the CA
> root in the chain not increase packet exchange with probable longer
> round-trip times and therefore slower authentications?

  Leaving the root CA in the chain will likely add one more packet exchange.  It may slow down authentication slightly.  But in practice, this isn't much of an issue.

  If you enable fast session resumption, then 99% of authentications will use that, and will bypass the certificate exchange completely.  And, leaving the root CA in there may help in some cases.

  I usually recommend being safe.  Leave the root CA there, and enable fast session resumption.

  Alan DeKok.

More information about the Freeradius-Users mailing list