OCSP Response Signed by other CA
Mike DiBella
mike at dibella.net
Wed Oct 30 23:08:14 CET 2019
I'm attempting to add OCSP certificate verification to EAP, but my responder hosts multiple CAs and signs the responses with a cert common to all. I think freeradius is assuming that the signer of the OCSP response will be the same as the signer of the client certificate, and I can't see an option to override this behavior. I've already tried concatenating the OCSP signer to the client trust certificate file, but freeradius still fails validation with "Error: rlm_eap: SSL error error:27069070:OCSP routines:OCSP_basic_verify:root ca not trusted". Any ideas?
More information about the Freeradius-Users
mailing list