EAP-TLS, untrusted certificate in client chain
Alan DeKok
aland at deployingradius.com
Fri Aug 16 13:23:06 UTC 2024
On Aug 4, 2024, at 3:50 PM, Rolf Harald Holmvik <rolf.harald.holmvik at gmail.com> wrote:
> I'm testing EAP-TLS for WPA3 Enterprise Wi-Fi authentication, and I'm
> having trouble getting FreeRADIUS to trust the intermediate
> certificate in the client chain. Hopefully someone on this mailing
> list can point me in the right direction to get it working. I'd like
> to eventually set "reject_unknown_intermediate_ca = yes", but can't
> until I get FreeRADIUS to trust the legitimate intermediate
> certificate.
Unfortunately the issue here seems to be OpenSSL. I don't recall the exact reasons, but for some reason OpenSSL is deciding that the intermediate certificate is untrusted, even though FreeRADIUS has given it the entire certificate chain.
We'll try to figure out why, but in the mean time you can just ignore the message. If you control the root CA, it's likely that it won't issue intermediate CAs which are unknown to you.
Alan DeKok.
More information about the Freeradius-Users
mailing list