OCSP Response Signed by other CA

Mike DiBella mike at dibella.net
Wed Oct 30 23:08:14 CET 2019

I'm attempting to add OCSP certificate verification to EAP, but my responder hosts multiple CAs and signs the responses with a cert common to all.   I think freeradius is assuming that the signer of the OCSP response will be the same as the signer of the client certificate, and I can't see an option to override this behavior.   I've already tried concatenating the OCSP signer to the client trust certificate file, but freeradius still fails validation with "Error: rlm_eap: SSL error error:27069070:OCSP routines:OCSP_basic_verify:root ca not trusted".   Any ideas?

More information about the Freeradius-Users mailing list