Can I use diffrent root CA certificates while dynamic loading certificate chains?

James Fan polysorb at
Thu Nov 9 06:28:08 UTC 2023

Hi Matthew,
We are using the check-eap-tls virtual server and ca_path with the magic
"hash link" now, and it can achieve the desired results!
Thank you so much.


On Wed, Nov 8, 2023 at 6:31 PM Matthew Newton via Freeradius-Users <
freeradius-users at> wrote:

> On 08/11/2023 10:13, James Fan wrote:
> > If I configure the ca_path, it does not multi-tenancy because the CA
> > certificates will exist in one path, and if I use a client certificate
> from
> > the other tenant's CA, it will pass, right?
> You add extra checks to make sure the right one has been used.
> But what EAP type?
> If it's EAP-TLS then you can configure the check-eap-type virtual server
> (see the tls{} config section) where you can look at certificate
> information and accept/reject. It's often use to pull information from
> the client cert and then do an LDAP lookup, for example.
> Otherwise you should be able to use the TLS-Cert-* attributes to see
> which root CA has been used and make policy decisions. See e.g.
> raddb/sites-available/default for a commented-out list of what's available.
> > So, how can I ensure the client will use the proper CA to verify
> > certificates based on their tenant If I can get tenant information from
> the
> > request?
> "proper CA"? That doesn't make much sense. You don't.
> The client will check that the server certificate presented is valid, or
> not. If it has the root CA installed of whatever server certificate is
> presented, then it'll pass. You can often configure the client (as part
> of its provisioning process, whatever that is for you) so that only a
> certain set of root CAs can be used for server auth, it's not something
> you do on the server side. But if the client user can reconfigure their
> machine, they can alter that setting - it's for security not for
> authentication purposes.
> You don't permit the client to access the network based on what server
> certificate is presented. You verify the credentials the client sends to
> the server, e.g. the username/password, or the client cert - possibly
> with extra policy checks.
> --
> Matthew
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list