Issues extending EAP-TLS to use OCSP

Przemysław Basa pmb at langbit.pl
Sat Mar 8 19:15:42 UTC 2025


On 08.03.2025 00:31, Craig Huckabee wrote:
> 
> If your OCSP certificate lacks the OCSP specific OID it will fail that basic verification process.
> 

That was indeed the case - thank you! It was driving me nuts.

My current working solution is to use an intermediate CA to sign server.pem and client certificates. It also signs the 
OCSP responder certificate, which has the EKU set to OCSPSigning.

For anyone wondering why an intermediate CA is necessary, the reason is that OpenSSL complains about self-signed 
certificate in the chain when the OCSP responder certificate is signed directly by the root CA.

For completeness, I'll also mention that trying to add the OCSPSigning flag directly to the root CA results in the 
following errors:

(5) eap_tls:   ERROR: (TLS) OpenSSL says error 26 : unsuitable certificate purpose
(5) eap_tls: (TLS) TLS - send TLS 1.2 Alert, fatal unsupported_certificate
(5) eap_tls: ERROR: (TLS) TLS - Alert write:fatal:unsupported certificate
(5) eap_tls: ERROR: (TLS) TLS - Server : Error in error
(5) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:0A000086:SSL routines::certificate verify failed
(5) eap_tls: ERROR: (TLS) System call (I/O) error (-1)
(5) eap_tls: ERROR: (TLS) EAP Receive handshake failed during operation
(5) eap_tls: ERROR: [eaptls process] = fail

Regards,
Przemyslaw Basa


More information about the Freeradius-Users mailing list