Can I use diffrent root CA certificates while dynamic loading certificate chains?

Matthew Newton mcn at
Wed Nov 8 10:31:14 UTC 2023

On 08/11/2023 10:13, James Fan wrote:
> If I configure the ca_path, it does not multi-tenancy because the CA
> certificates will exist in one path, and if I use a client certificate from
> the other tenant's CA, it will pass, right?

You add extra checks to make sure the right one has been used.

But what EAP type?

If it's EAP-TLS then you can configure the check-eap-type virtual server 
(see the tls{} config section) where you can look at certificate 
information and accept/reject. It's often use to pull information from 
the client cert and then do an LDAP lookup, for example.

Otherwise you should be able to use the TLS-Cert-* attributes to see 
which root CA has been used and make policy decisions. See e.g. 
raddb/sites-available/default for a commented-out list of what's available.

> So, how can I ensure the client will use the proper CA to verify
> certificates based on their tenant If I can get tenant information from the
> request?

"proper CA"? That doesn't make much sense. You don't.

The client will check that the server certificate presented is valid, or 
not. If it has the root CA installed of whatever server certificate is 
presented, then it'll pass. You can often configure the client (as part 
of its provisioning process, whatever that is for you) so that only a 
certain set of root CAs can be used for server auth, it's not something 
you do on the server side. But if the client user can reconfigure their 
machine, they can alter that setting - it's for security not for 
authentication purposes.

You don't permit the client to access the network based on what server 
certificate is presented. You verify the credentials the client sends to 
the server, e.g. the username/password, or the client cert - possibly 
with extra policy checks.


More information about the Freeradius-Users mailing list