On 02/16/2011 07:01 PM, Carl Gibbons wrote: > I was given a file named SSL_CA_Bundle.pem containing intermediate > certificates necessary for our new Radiator SSL cert from Thawte. > What to do with these? Our installation is on RHEL5. > > I tried putting them in the .pem file specified by the > EAPTLS_CertificateFile directive keyword in our config, but that > didn't work. A colleague suggested they may need to go in > /etc/pki/tls/certs/ca-bundle.crt, but I don't have the extra > information about the intermediate certs that I see in that file.
Do this: EAPTLS_CAFile /path/to/certs/SSL_CA_Bundle.pem EAPTLS_CertificateType PEM EAPTLS_CertificateFile /path/to/certs/server-cert.pem EAPTLS_PrivateKeyFile /path/to/certs/server-key.pem # If the key is password protected # EAPTLS_PrivateKeyPassword key-password The path "/path/to/certs" can be anything. Some people use /etc/radiator, /etc/radius or /etc/radiator/certs. In many cases it is the same directory where Radiator configuration lies. You mention "Radiator SSL cert from Thawte". This is what goes into EAPTLS_CertificateFile and the cert's private key goes to EAPTLS_PrivateKeyFile. The bundle goes into EAPTLS_CAFile. This should enable Radiator to send the clients its own cert and all required CA certificates. The bundle can also contain the root CA, but the intermediates should be enough. Best regards, Heikki -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
