EAP/TTLS - Multiple Certificate chains

Sat Apr 12 22:02:34 UTC 2025

On Apr 8, 2025, at 1:07 PM, adam <adamham at gmail.com> wrote:
> I have some queries I hope someone can help me with.
> 
> 1) Pre-loading certificates:
> 
> https://github.com/FreeRADIUS/freeradius-server/blob/release_3_2_7/raddb/certs/realms/README.md#preloading-certificate-chains
> 
> I have set realm_dir in our eap module as suggested. As per:
> 
>>> Once the realm_dir configuration has been added, the selection of
> certificates is identical to that described in the previous section. Just
> set TLS-Session-Cert-File, and the server will figure it out.
> 
> … I have added the unlang statement suggested in
> https://github.com/FreeRADIUS/freeradius-server/blob/release_3_2_7/raddb/certs/realms/README.md#dynamic-loading-of-certificate-chains

 That should be OK.

> Q: Is there a way to know if a certificate chain has been
> pre-loaded/cached? I can’t find reference in the debug output at startup or
> during the EAP/TTLS conversation. The file is definitely parsed by the
> server (if I remove the private key from the chain the server will complain
> if a corresponding key file is not present), but it would be useful for me
> to see if a cached file is being used or not.

 There's no debug log which says that.  I'll add one.

> Unless I have misunderstood the documentation, my realm_dir and the
> directory I have set in the unlang statement are the same. So certificate
> chains are pre-loaded from this directory on startup, and also added to
> that directory during runtime for dynamic loading.

 Yes.

> Q: In the event that a certificate chain is pre-loaded/cached, and the file
> in the realms directory changed during runtime (e.g. certificate renewal)
> is it safe to assume the cached chain is used until a server restart?

 Yes.  The cached file isn't reloaded.

> 2) File format
> 
> I have followed
> https://github.com/FreeRADIUS/freeradius-server/blob/release_3_2_7/raddb/certs/realms/README.md#format
> and
> also placed the private key at the top of each file.

 You can also put the private key into a separate ".key" file.

> In the "preloading-certificate-chains" section it states:
> 
>>> Each file in that directory should be a PEM encoded certificate chain,
> as described in the previous section. For safety, every file must have a
> .pem as the filename extension. e.g. example.org.pem. If there is a
> corresponding private key, it should be placed into a .key file. e.g.
> example.org.key.
> 
> (emphasis on must)
> 
> Accordingly each of my certificate chain files have a '.pem' extension and
> I have to change the unlang expression so the files are found on startup
> and at runtime e.g.
> 
> "
> …
> TLS-Session-Cert-File := "${certdir}/realms/%{Realm}.pem"
> …
> "
> 
> Q: is the ".pem" file suffix still necessary? I ask as I have tested with
> and without and both work the same. I also ask in case this bears relevance
> to my first question.

 For files loaded via TLS-Session-Cert-File, the file doesn't have to end in ".key".

> Q: do I need to place my corresponding key in a separate file? I ask in
> case it has relevance to my first question. The server seems to work out if
> the private key is in the chain file or not, at startup.

 The key doesn't have to be in a separate file.

 If it works...

 Alan DeKok.