Ahhh! I remember those issues :P Did you try (on windows) to add the chain into the system/computer keystore, not only the user keystore?
Browsers are able, using OCSP, to follow the chain, and grab the certs on the Internet if needed. That's why the OCSP proxy config has been added to the httpd config in PF 3.5ish. Francois On 2013-02-05 10:14 AM, Derek Wuelfrath wrote: > EHLO list! > > Currently running into an "issue" and want to gather some insight to > understand if it is actually a real "issue" or the normal workflow. > Here's the situation: > > By running PacketFence/FreeRADIUS on a secure SSID using PEAP with valid > SSL certificate signed by RapidSSL, we encounter the strange behavior > that each client (Microsoft Windows, Apple OSX, Apple IOS) actually > prompt the end user to accept/validate the certificate stating that this > certificate is signed by a known authority but actually can't be > "verified". We tried to send the whole chain right into the certificate, > send the chain with the CA_file FreeRADIUS parameter, nothings actually > "solve the issue". > > On another hand, when reaching the captive-portal (which is using the > exact same certificate with chain file), the browsers are not > complaining and seems like a valid SSL certificate. > > I'm wondering if it is now a "normal workflow" when connecting to a PEAP > secured SSID to ask the end user to accept/validate the chained certificate? > > Any insight, tricks, ideas are more than welcome. > > Thanks! > > Derek > ------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
