On Mon, 9 Jan 2012, Phil Mayers wrote:
On 09/01/12 17:42, Mike Diggins wrote:
I use a Thawte Premium Server CA for my WPA2 Enterprise freeradius
authentication certificate currently. My eap.conf 'certificate file'
contains the certificate only, not the root and/or intermediates. That
seems to be ok, since most clients already have the Thawte Root
certificate installed.
I renewed the new certificate just recently and discovered that Thawte
is no longer issuing certificates under the old root so my clients will
likely be asked to trust the new certificate when I install it. All my
documentation changes as well but that's another story.
My question is, what is the value of adding the roots/intermediates to
the certificate file i.e certificate_file = ${certdir}/certificate.crt?
Does it really allow a client without the Root already installed to
verify this certificate?
Most clients:
1. Have all the common "top-level" CAs installed
2. May or may not have the intermediate CAs
We put the server & intermediate certs (NOT the top-level) into the cert
file, and in our experience this lets all clients (Windows, MacOS, iOS,
Android) connect without errors.
I believe that, if the client really does lack the top-level CA, you're
screwed. You will have to manually install at least the top-level cert,
except on MacOS (and possibly iOS, but not sure).
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Do the certificates need to be listed in any particular order in the
certificate_file?
-Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
