Remember when you put your Root CA file (and perhaps the CRL for that CA) into your certificate directory, and ran 'c_rehash <cert directory>'?
Well - it's just like that. You might have had RootCA.pem with the Verisign CA certificate. Personally - I like to have a separate file for each intermediate CA certificate in the chain. When you think you are done - you can test the validity of your new certificate like this: openssl verify -crl_check -CApath <certificate path> /path/to/certificate-file/server.pem.cert Hope this helps. Give it a go and let us know if you have any problems. -- Matt On Fri, Feb 13, 2009 at 12:11 PM, Meyers, Dan <[email protected]> wrote: > I'm sure I must just be being thick with our FreeRADIUS config, but i've > completed failed to find anything online or in the docs explaining > *what* i'm doing wrong, so i'm posting here. > > We've had a FreeRADIUS server set up for some time now, with an SSL > certificate directly signed by one of Verisign's root CA's, for the > purposes of doing EAP-TLS domain auth. This worked fine on both > FreeRADIUS 1.1.7 and 2.0.5. However our cert is due to expire in a > month, and it would appear no one issues root signed certs any more, > they're all cert chains. Obviously with things like apache this is fine, > as you install the chain bundle file at the same time as your actual > cert, and the chain gets passed to the client, who follows it to a root > CA they do already trust. I'm having trouble working out how to do this > with FreeRADIUS however. All the info I can find suggests that if I edit > my certificate file so that it contains multiple certs, from least > trusted at the top (my server cert) down the chain and file to the one > which has been signed by a root CA the user's machine will already > trust, then machines will follow the chain as expected and accept the > certificate. However if I do this, and have a chain file of the same > format as I use successfully on the web server (i.e. multiple BEGIN and > END blocks with a single cert between each pair), then my client > machines still fail to pick up the chain, and thus can't validate the > certificate. > > Am I missing something blindingly obvious with regards to how to do > certificate chains in FreeRADIUS? If so, please tell me what. > > Thanks > > -- > Dan Meyers > Network Specialist, Lancaster University > E-Mail: [email protected] > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
