clarification on eap configuration files and certificates

Marco Santantonio marco.santantonio at
Thu Jun 20 13:41:17 CEST 2019

ok, many thanks for your support!


Il giorno gio 20 giu 2019 alle ore 13:04 Alan DeKok <
aland at> ha scritto:

> On Jun 20, 2019, at 5:06 AM, Marco Santantonio <marco.santantonio at>
> wrote:
> >
> > I have one last doubt on the subject. As I said, we use certificates
> issued
> > by a public CA (Digicert). In the certificates chain that I insert in the
> > certificate_file should i also enter the root CA or, being this public
> and
> > recognized, do I expect the clients to know it already?
>   The clients should already know the root CA.  It may work if you don't
> put the root CA into the certificate_file.
> > Does leaving the CA
> > root in the chain not increase packet exchange with probable longer
> > round-trip times and therefore slower authentications?
>   Leaving the root CA in the chain will likely add one more packet
> exchange.  It may slow down authentication slightly.  But in practice, this
> isn't much of an issue.
>   If you enable fast session resumption, then 99% of authentications will
> use that, and will bypass the certificate exchange completely.  And,
> leaving the root CA in there may help in some cases.
>   I usually recommend being safe.  Leave the root CA there, and enable
> fast session resumption.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

Marco Santantonio
Direzione Sistemi Informativi, Portale, E-learning
Sezione Fonia, VoIP e WiFi

More information about the Freeradius-Users mailing list