1. Create a folder somewhere (doesn't matter where, as long as the
radiusd process can read it).
# mkdir /my_ca
2. Copy your CA certs and your CRLs to .pem files into this directory.
# cp johns-cacert.pem /my_ca
# cp johns-crl.pem /my_ca
# cp jims-cacert.pem /my_ca
# cp jims-crl.pem /my_ca
...
...
3. run c_rehash (/usr/local/bin/c_rehash?
/usr/local/ssl/bin/c_rehash? wherever OpenSSL put it).
# c_rehash /my_ca
Doing .
jims-cacert.pem => 1987cbba.0
johns-crl.pem => 033b73a6.r0
johns-cacert.pem => 033b73a6.0
jims-crl.pem => 1987cbba.r0
...
...
#
4. edit eap.conf, commenting out CA_file, and specifying CA_path.
tls {
...
...
#CA_file = ${raddbdir}/ca/cacert.pem
CA_path = /my_ca
check_crl = yes
...
...
}
You can add and remove CA certs and CRL files as you choose to
trust or untrust them, on the fly. Just rerun "c_rehash /my_ca" every
time you do.
Dean.
Jacques VUVANT wrote:
Hi all
I've installed and use freeradius 1.0.1 for EAP/TLS
auntentication. It work well without CRL. But each time I want to
active check_crl = yes on eap.conf file , authentication fail with
following message :
*** unable to get certificate CRL***
Someone can help me on following questions :
what looks like crl file ?
where (dorectory) do the be ?
some modifications to do on .conf file ?
Thanks for any answer
Jacques VUVANT