>What i've got currently can be up to 3 files. Firstly, the server >certificate itself, which has been signed by Verisign's Intermediate CA, >then the cert for said Intermediate CA, and finally the root cert used >to sign the Intermediate CA. My current setup is with the server cert in >a file on it's own (jrs-radius02.pem is the cert, jrs-radius02.key is >the keyfile), and the intermediate and root certs in the same file >(verisign.pem. Intermediate cert at the top, root cert at the bottom). I >then have the following config lines in the tls section of eap.conf for >FreeRADIUS to reference these files: > >private_key_file = ${certdir}/jrs-radius02/jrs-radius02.key >certificate_file = ${certdir}/jrs-radius02/jrs-radius02.pem >CA_file = ${certdir}/jrs-radius02/verisign.pem > >> When you think you are done - you can test the validity of your new >> certificate like this: >> >> openssl verify -crl_check -CApath <certificate path> >> /path/to/certificate-file/server.pem.cert > >I've actually dropped the -crl_check from this test, as i'm not doing >crl checking within FreeRADIUS until i've got it working without it. >Also, this command didn't seem to work when my verisign.pem contained > >1 cert, even after a c_rehash, it only worked if all the certs were in >individual files: > >jrs-radius02:/etc/freeradius/certs/jrs_radius02# openssl verify -CApath >.. jrs-radius02.pem >jrs-radius02.pem: OK >
What? openssl verify -CAfile verisign.pem jrs-radius02.pem isn't working? Then something is wrong with your chain file. Check that you are using the correct root certificate and cat certificates again in a new bundle. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html