> >I've actually dropped the -crl_check from this test, as i'm not doing > >crl checking within FreeRADIUS until i've got it working without it. > >Also, this command didn't seem to work when my verisign.pem contained > > > >1 cert, even after a c_rehash, it only worked if all the certs were in > >individual files: > > > >jrs-radius02:/etc/freeradius/certs/jrs_radius02# openssl verify - > CApath > >.. jrs-radius02.pem > >jrs-radius02.pem: OK > > > > What? > > openssl verify -CAfile verisign.pem jrs-radius02.pem > > isn't working? Then something is wrong with your chain file. Check that > you are using the correct root certificate and cat certificates again > in > a new bundle.
OK, got this bit sorted, which was me being a tool. I was using vim, and hadn't noticed one file was being opened in dos mode and the other in unix. As soon as I catted them together instead of copy-pasting between terminals I saw that the root block was ending lines with ^M. Converted that to unix format, re-catted the two into my ca pem file, and openssl is now happy with a file containing multiple certs and validates the chain. My client is still giving the same behaviour of not getting the certificate chain, however. I did wonder if Windows was being daft, and resaved the ca file so all certs within it were in dos format instead of unix. After another rehash openssl still verified the chain fine, but my client is still not playing ball. Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
