iOS doesn't trust server certificate signed by intermediate issuer
mcn at freeradius.org
Fri Dec 4 03:05:07 CET 2020
On 03/12/2020 21:01, Igor Sousa wrote:
> I created a bundle with intermediate and root certificates, in this order
> an. I configured the /etc/freeradius/mods-enabled/eap as below:
> private_key_file = <path for server private key that I created>
> certificate_file = <new path for server.pem received from GlobalSign>
> ca_file = <path to ca.bundle obtained by cat intermediate.pem >> ca.bundle
> and cat root.pem >> ca.bundle>
That's not right, unless you are using EAP-TLS and want anyone with a
certificate generated by GlobalSign to be able to authenticate.
private_key_file should be a .pem file with the private key.
certificate_file should be a .pem file containing the server certificate
and the intermediate certificate, in that order.
Don't set ca_file at all.
Don't put the GlobalSign root CA in any of the files. The clients have
that already to check that the server cert is genuine.
More information about the Freeradius-Users