
we are running our own PKI with a 3 level hierarchy:
it-master-class1(self-signed) -> it-ca-class2 -> it-ca-class3.

it-ca-class3 signed our radius server (radiux-pkiit-2008.pem)
In eap.conf file in the tls section I have
tls {
private_key_password = secret
private_key_file = ${certdir}/radiux-pkiit-2008.key.pass.pem
certificate_file = ${certdir}/radiux-pkiit-2008.pem
CA_file = ${certdir}/ca-chain-institut-telecom_long.crt
unfortunaltly, securew2 windows clients configure to check certificates and having it-master-class1 in it's CA list don't accept our TLS security :-( . It tells that it received a bad certificate from the server !?.

I wonder if I didn't made a misconfiguration in radiusd/eap/tls section above . certificate_file point to our radius SSL-server certificate CN=radius.it-sudparis.eu but what the CA_file should point what in our case ? the it-master-class1 CA root certificate ? the it-ca-class3 CA which signed our radius server ? a bundle of the 3 CA (as it is now !) ? , in which order class1-2-3 ? class 3-2-1 ? in pem ? , der ? short or long CA files (by these I mean only what is between --BEGIN CERTIFICATE-- and --END CERTIFICATE-- or plus the "blabla" above ) ?. Perhaps only certificate_file = ${certdir}/radiux-pkiit-2008.pem could be used, but in that case radiux-pkiit-2008.pem should contain the radius server certificate + a bundle of the 3 CA, in which order ? short or long ? ...

You see I have lots of possibilities and interogation !.

I'am much more used to configure SSL in apache ssl.conf, to me it is clear as the directive are self explained :
SSLCertificateFile /etc/pki/tls/certs/server-2008.pem
SSLCertificateKeyFile /etc/pki/tls/private/server-2008.key
SSLCertificateChainFile /etc/pki/tls/certs/ca-chain-institut-telecom.crt
SSLCACertificateFile /etc/pki/tls/certs/itrootca-class1.crt
in eap.conf I don't see any distinction between the httpd equivalents : SSLCertificateChainFile and SSLCACertificateFile
I also use openssl s-client to test my servers certs setting
openssl s_client -host mutuel.it-sudparis.eu  -port 443
But I cannot do the same for radius ? openssl s_client -host radius.it-sudparis.eu -port 1812 => socket: Connection refused :-( .

Thanks for your help .

List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to