iOS doesn't trust server certificate signed by intermediate issuer

Matthew Newton mcn at
Fri Dec 4 03:05:07 CET 2020

On 03/12/2020 21:01, Igor Sousa wrote:
> I created a bundle with intermediate and root certificates, in this order
> an. I configured the /etc/freeradius/mods-enabled/eap as below:
> private_key_file = <path for server private key that I created>
> certificate_file = <new path for server.pem received from GlobalSign>
> ca_file = <path to ca.bundle obtained by cat intermediate.pem >> ca.bundle
> and cat root.pem >> ca.bundle>

That's not right, unless you are using EAP-TLS and want anyone with a 
certificate generated by GlobalSign to be able to authenticate.

private_key_file should be a .pem file with the private key.

certificate_file should be a .pem file containing the server certificate 
and the intermediate certificate, in that order.

Don't set ca_file at all.

Don't put the GlobalSign root CA in any of the files. The clients have 
that already to check that the server cert is genuine.


More information about the Freeradius-Users mailing list