Yeah!! Then you're agree with me. I've been explaining (trying) in this forum that client cert must be signed by ca cert. bootstrap command sign client cert with server.key and this not works. The solution is to replace de signing in certs/Makefile (-key server.key -cert server.pem should be -key ca.key -cert ca.pem). Then , are you agree with me when I
I think so.
say, with fear and respect, that default radius PKI doesn't work?.
Hmm. Maybe; I guess most people test PEAP which just uses CA & server certs, no client certs.
I'm by no means an expert, and Makefile's make my brain hurt, so I could be misreading it.
Alan - it does look to my untrained eye as if the "client.crt" Makefile target in /etc/raddb/certs is signing the client key with the server key. Is this intentional, or a bug?
Second: if I sign client certificates with ca.key I assume that I can't manage de CRL because it sholud be signed with server.key, am I right?
I don't think so. Again, I think the CRL is signed with the CA key. Of course, you'll need run your own crl commands, the FreeRadius stuff doesn't come with that.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
