Sergio Yébenes Moreno wrote: > I think that PKI that comes with freeradius by default are shit
Feel free to submit fixes. Most people don't have problems with the defaults. Perhaps because they realize that the defaults are for testing, and not for production use. > (./bootstrap). I had the same problem. If you see the certification > route in firefox, for example, you will see that client certificate are > signed by SERVER CERTIFICATE and this by ca certificate. Which shouldn't be a problem. > Probably you > put ca_cert="/usr/local/etc/raddb/certs/ca.pem" at eap.conf There is no configuration entry called 'ca_cert'. > rlm_eap_tls: <<< TLS 1.0 Handshake [length 0395], Certificate > --> verify error:num=20:unable to get local issuer certificate > > rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca) > > , and should be server.pem, or make your own ca, that signs clients and > servers certificates. The default configuration works. Perhaps you could try explaining why you think it doesn't, or why it's wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
