Hi Matthew 2013/8/22 Matthew Ceroni <matthewcer...@gmail.com> > > > I read that for FreeRadius just combine the cert with the intermediate > cert into one file and then reference that in eap.conf:certificate_file. > > I have done that but clients are still failing certificate validation. >
Honestly I also had some hassles with the certificate chain, now we can configure clients to check both CA as well as certificate CN. My experience was that I had to honor the certificate order and make sure to not include unused intermediate certificates. That is: Don't include a full CA bundle from your CA stay way below the 64k limit ( http://wiki.freeradius.org/guide/Certificate%20Compatibility) I used OpenSSL to show both subject and issuer go through the chain of trust starting with the server certificate, which in my case was StartCom. You'll need to know where you can download all root and intermediate roots from your issuing CA. openssl x509 -noout -in mysignedservercert.pem -subject -issuer subject= <removed> issuer= /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA After getting the Class 2 Primary Intermediate Server CA: $ openssl x509 -noout -in sub.class2.server.ca.pem -subject -issuer subject= /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA issuer= /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority And finally we're up in the chain: $ openssl x509 -noout -in ca.pem -subject -issuer subject= /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority issuer= /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority # Build the cert bundle for freeradius cat mysignedservercert.pem > myservercert-roots-bundled.pem cat sub.class2.server.ca.pem >> myservercert-roots-bundled.pem cat ca.pem >> myservercert-roots-bundled.pem This resulted in an 8k file while StartSSL's CA bundle is 124k. -- Mathieu
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html