Can I use diffrent root CA certificates while dynamic loading certificate chains?

[James Fan]

Hi Matthew,
Thanks for your reply.
If I configure the ca_path, it does not multi-tenancy because the CA
certificates will exist in one path, and if I use a client certificate from
the other tenant's CA, it will pass, right?
So, how can I ensure the client will use the proper CA to verify
certificates based on their tenant If I can get tenant information from the
request? Thanks.

On Wed, Nov 8, 2023 at 5:47 PM Matthew Newton via Freeradius-Users <
freeradius-users at lists.freeradius.org> wrote:

> On 08/11/2023 08:42, James Fan wrote:
> > Hi, we have a case that, with multi-tenancy, there will be multiple CA
> > certificates in our FreeRadius server, so we need to load the certificate
> > chains dynamically. But when I use the statements below, I can't include
> > the CA certificates in the certificate files I set. The
> TLS-Session-Cert-File
> > looks like it is only for the server certificate and intermediate CA
> > certificates. Is there any chance of dynamic loading certificate chains
> > with root CA certificates?
>
> Why? The client already has the root CA cert installed which is uses to
> verify the server certificate that you send. You don't need to send the
> root to the client again.
>
> If you want to use different root CAs on the server to verify client
> certificates (e.g. with EAP-TLS) from different roots then either
> configure ca_path in the eap module, or make duplicate eap module
> instances and call the appropriate one depending on the incoming request.
>
>
> > authenticate {
> >    ...
> >    Auth-Type eap {
> >        if ("%{unpack:&EAP-Message 4 byte}" == 1) {
> >        update control {
> >             TLS-Session-Cert-File := "${certdir}/realms/%{Realm}"
> >        }
> >     }
> >     eap
>
> "eap" here should be inside the "Auth-Type eap" section.
>
> >   }
> >    ...
> > }
>
> --
> Matthew
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>