[EXTERNAL] Re: Intermediate-Trust certificate issues

Hector Rodriguez hector.rodriguez at westcare.com
Fri May 1 19:31:46 UTC 2026 

Alan,

  Thank you for replying, it means a lot to me. The version installed is 3.2.5. Are you saying that upgrading to version 3.2.9 should fix the issue ? (Yes || no)  I currently see the version on the site. Unsure based on the response if it's already committed into the new version.

________________________________
From: Alan DeKok
Sent: Friday, May 1, 2026 3:20 PM
To: FreeRadius users mailing list
Cc: Hector Rodriguez
Subject: Re: [EXTERNAL] Re: Intermediate-Trust certificate issues

On May 1, 2026, at 2:35 PM, Hector Rodriguez via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>  I hope everyone is well. Currently I have implemented Free Radius in a test environment with EAP-TLS mode enabled.

  Which version?

> My environment currently has a two tier PKI (CA Root and Ca Issuer within the Intune Microsoft Cloud PKI environment) . Our Free Radius server is configured to have an SSL from the CA server installed within my Free Radius Server, which is generated by the CA config. Our Root CA and Issuer CA certificates have been imported from Intune, and converted from Cer to PEM/CRT file formats, and the EAP config file has been edited to point to a bundled (full chain ) Issuer CA cert. The server's certificate store has been updated to trust the Microsoft CA and Issuer CA for our environment . I have created a configuration profile within Intune to grant machines (in my case, just a test machine) to install both CA ROOT and Issuer certs to their prespective certificate store.  Public certs are owned by the freerad user and currently have the 755 permissions

  OK.  There's always some magic fighting with certificates, but that sounds reasonable.

>   Another thing to note is that we are currently using a Unifi switch and we have set the controller profile to authenticate with Radius. I have been going a bit insane trying to figure out why the Free Radius server is not trusting my intermediate certificate when I have clearly followed the appropriate instructions. No matter what I do the intermediate cert is not trusted. Authentication only occurs when I set:reject_unknown_intermediate_ca  to No. I have been notciing that other users have a similar issue, with PKI's related to Microsoft Cloud PKI. Do you thing there will be a fix. Is there anything that I can do for this issue ? Although it seems unsafe, do you think it would be Ok, to  set reject_unknown_intermediate_ca =no  ?

  IIRC there were issues with intermediate certs at one point.  The fix is likely in commit aca3a5955d4e

  i.e. it will be in 3.2.9, which we expect to release shortly.

  Alan DeKok.



[cid:54071d05-fdb4-47e4-863c-76f80c12afcc]

Hector Rodriguez

Cloud Administrator

WestCare Foundation



Phone (702) 482 0922

Web westcare.com

Email hector.rodriguez at westcare.com<mailto:hector.rodriguez at westcare.com>

Office 1711 Whitney Mesa,

Henderson, NV 89014











[cid:e1e62e03-511d-42d2-a611-01b18262a642]<https://outlook.office.com/bookwithme/user/af4e411e9f3847489776fafebd3877b9@westcare.com?anonymous&ismsaljsauthenabled&ep=bwmEmailSignature>
Book time to meet with me<https://outlook.office.com/bookwithme/user/af4e411e9f3847489776fafebd3877b9@westcare.com?anonymous&ismsaljsauthenabled&ep=bwmEmailSignature>
-- CONFIDENTIALITY NOTICE: This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to which they are addressed. This communication may contain material protected by HIPAA legislation (45 CFR, Parts 160 & 164) or by 42 CFR Part 2. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing or copying of this email is strictly prohibited. If you have received this email in error, please notify the sender by reply email and destroy all copies of the original message. ­­
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook-zv4eubit.png
Type: image/png
Size: 14336 bytes
Desc: Outlook-zv4eubit.png
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20260501/ecadecfc/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook-rdbw3rrm.png
Type: image/png
Size: 528 bytes
Desc: Outlook-rdbw3rrm.png
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20260501/ecadecfc/attachment-0003.png>

More information about the Freeradius-Users mailing list