> > To repeat my previous email - xsupplicant does not have a CA cert that > allows it to trust the server. > > The line: > > Loaded root certificate /etc/raddb/certs/cert-clt.pem > > ...looks wrong. It looks as if you've told xsupp that the CA cert is > the client cert, which it isn't. They're different things. > > In FreeRadius, the "eap.conf" file will have: > > eap { > tls { > certificate_file = /path/to/file.pem > } > } > > ...and if you run (against that file): > > openssl x509 -noout -text -in /path/to/file.pem | > egrep '(Subject|Issuer):' > > ...you'll get something like: > > Issuer: C=US, O=MyOrg, OU=MyCA, CN=My Certificate Authority > Subject: C=US, O=MyOrg, OU=MyCA, CN=wireless.myorg.com > > The certificate you supply to the CLIENT as the *CA* must be the > ISSUER cert - that is, the one with: > > Subject: C=US, O=MyOrg, OU=MyCA, CN=My Certificate Authority > > I would glance at the xsupp documentation to give more advice but the > crapforge^Wsourceforge docs links appears to lead in a loop. This is > one reason amongst many others you should seriously consider using > wpa_supplicant on the clients. I have a feeling that I've ruined my CA, and I need to re-create my FreeRadius CA. Now, I've re-examined how to make a CA repeatedly, and everything says something different. my CA.pl is located on /etc/pki/tls/misc
Given this is the case, from scratch, what is the best way to create a "Fresh" CA for FreeRadius. I've tried multiple documents from Ubuntu to RedHat, (Mandriva doesn't offer any documentation themselves.) So, in the absense of qualified docs, recommendation? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html