Jeffrey Sewell wrote: > Than you. > > So if I understand this correctly, radiusd is not looking for a > directory with checksum'd certificates, just one file with all the > certficates in it?
Both is possible. CA_path = ${raddbdir}/certs/trustedCAs/ with c_rehash generated fingerprint symlinks for a directory of trusted CA certificates for EAP-TLS (with client authentication by client certificates). Or CA_file = ${raddbdir}/certs/trustedCAs.pem a file with possibly multiple PEM formatted CA certificates for EAP-TLS (with client authentication by client certificates). My point was that the chain of the radius-server-certificate is actually to be *added* to the file with the radius-server-certificate itself. And that if you want to do plain EAP- *T* TLS and only EAP-TTLS to be carefull to leave CA_file and CA_path nulled/empty. I remember that the inline documentation of the eap.conf file suggests to put the CA certificate issuing the radius-servers server-certificate into the CA_file which could open up unwanted EAP-TLS client authentication by client certificates if this CA issued client certificates. If you configure radiusd to do EAP-TLS also make sure to use the check_crl = yes option and have up-to-date CRLs available in the CA_path. Make sure c_rehash is building the fingerprint symlinks here as well. To automatically freshen/download CRLs by e.g. cron there is a neat script with some build-in CRL checking etc available at http://dist.eugridpma.info/distribution/util/fetch-crl/ HTH -- Kind Regards Reimer Karlsen-Masur -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), DFN-CERT Services GmbH DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 14. DFN-CERT Workshop und Tutorien, CCH Hamburg, 7.-8. Februar 2007 Infos/Anmeldung unter: https://www.dfn-cert.de/events/ws/2007/
smime.p7s
Description: S/MIME Cryptographic Signature
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html