Can I use diffrent root CA certificates while dynamic loading certificate chains?

Matthew Newton mcn at
Wed Nov 8 09:46:56 UTC 2023

On 08/11/2023 08:42, James Fan wrote:
> Hi, we have a case that, with multi-tenancy, there will be multiple CA
> certificates in our FreeRadius server, so we need to load the certificate
> chains dynamically. But when I use the statements below, I can't include
> the CA certificates in the certificate files I set. The TLS-Session-Cert-File
> looks like it is only for the server certificate and intermediate CA
> certificates. Is there any chance of dynamic loading certificate chains
> with root CA certificates?

Why? The client already has the root CA cert installed which is uses to 
verify the server certificate that you send. You don't need to send the 
root to the client again.

If you want to use different root CAs on the server to verify client 
certificates (e.g. with EAP-TLS) from different roots then either 
configure ca_path in the eap module, or make duplicate eap module 
instances and call the appropriate one depending on the incoming request.

> authenticate {
>    ...
>    Auth-Type eap {
>        if ("%{unpack:&EAP-Message 4 byte}" == 1) {
>        update control {
>             TLS-Session-Cert-File := "${certdir}/realms/%{Realm}"
>        }
>     }
>     eap

"eap" here should be inside the "Auth-Type eap" section.

>   }
>    ...
> }


More information about the Freeradius-Users mailing list