Alan DeKok wrote: > William Hegardt wrote: > >>EAP-TLS authentication fails with the "fatal unknown ca" message. > > > The server cert may need to be marked with "CA:true" > > >>If I hack the Makefile like Sergio mentioned last month to sign the >>client certificate with >>the CA key, then authentication succeeds. > > > That can work, too. > > >>I'd really like to understand what's wrong. Could wpa_supplicant be >>somehow incompatible with >>the bootstrap certificate chain? > > > It's OpenSSL on both ends. wpa_supplicant && FreeRADIUS are just > wrappers to get the SSL data back and forth.
Pardon me if I've missed something, but as far as I can tell the server cert isn't authorised to sign client certs, so I can't see how it could work. The CA can sign client certs. -- REALITY.SYS not found: Universe halted. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html