ok :) I provide certificate files and eap.conf in a tar ball to not to
post a mail too long.
If I print [EMAIL PROTECTED] in text form I see how radius is the
issuer of the certificate. This is the default PKI and I don't know what
I'm doing wrong.
Thanks for your attention.
I get the exact same error at the CLI:
[EMAIL PROTECTED] tmp]$ openssl verify -CAfile ca.pem < server.pem
stdin: OK
[EMAIL PROTECTED] tmp]$ openssl verify -CAfile ca.pem <
[EMAIL PROTECTED]
stdin: /C=FR/ST=Radius/O=Example
Inc./[EMAIL PROTECTED]/[EMAIL PROTECTED]
error 20 at 0 depth lookup:unable to get local issuer certificate
Your certificates are invalid:
* server.pem is signed by ca.pem, which is correct:
Issuer: C=FR, ST=Radius, L=Somewhere, O=Example
Inc./[EMAIL PROTECTED], CN=Example Certificate Authority
Subject: C=FR, ST=Radius, O=Example Inc., CN=Example Server
Certificate/[EMAIL PROTECTED]
* user.pem is signed by *server.pem* which is WRONG
Issuer: C=FR, ST=Radius, O=Example Inc., CN=Example Server
Certificate/[EMAIL PROTECTED]
Subject: C=FR, ST=Radius, O=Example Inc.,
[EMAIL PROTECTED]/[EMAIL PROTECTED]
You have signed the user cert with the server cert, which is incorrect.
You must sign the user cert with the CA cert.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
