He followed the instructions he received from Heikki, (see a copy of Heikki's message below my signature) and that seemed to resolve the issue. At least for Mac's, older versions of Windows, various handhelds, Ipads, etc.
However, when used with a Windows 7 client, users' get a pop up warning them that the certificate is not recognized and an opportunity, with a strongly worded warning, to accept it manually.
If they don't accept it they get this error message: ___________________________________________________________________ Radius Server: radius.du.edu Root CA: Thawte Primary Root CAThe server "radius.du.edu" presented a valid certificate issued by "thawte Primary Root CA", but "thawte Primary Root CA" is not configured as a valid trust anchor for this profile.
___________________________________________________________________If they do accept it, the connection is made, and they will not have to accept it again.
However, as we keep telling our users, clicking through such warnings is *not* a good security practice and we'd like to not encourage this as an exception.
Other clients that work report correctly that the certificate is issued by Thawte Premium Server CA as opposed to the Thawte Primary Root CA, and are as happy as clams.
There are two intermediary certificates in the bundle, do we need to add the Root CA to the bundle as well?
Or is there something else we're missing or doing incorrectly? Thank you for your help, Bob Shafer University of Denver On 02/16/2011 07:01 PM, Carl Gibbons wrote: > > I was given a file named SSL_CA_Bundle.pem containing intermediate > > certificates necessary for our new Radiator SSL cert from Thawte. > > What to do with these? Our installation is on RHEL5. > > > > I tried putting them in the .pem file specified by the > > EAPTLS_CertificateFile directive keyword in our config, but that > > didn't work. A colleague suggested they may need to go in > > /etc/pki/tls/certs/ca-bundle.crt, but I don't have the extra > > information about the intermediate certs that I see in that file. Do this: EAPTLS_CAFile /path/to/certs/SSL_CA_Bundle.pem EAPTLS_CertificateType PEM EAPTLS_CertificateFile /path/to/certs/server-cert.pem EAPTLS_PrivateKeyFile /path/to/certs/server-key.pem # If the key is password protected # EAPTLS_PrivateKeyPassword key-password The path "/path/to/certs" can be anything. Some people use /etc/radiator, /etc/radius or /etc/radiator/certs. In many cases it is the same directory where Radiator configuration lies. You mention "Radiator SSL cert from Thawte". This is what goes into EAPTLS_CertificateFile and the cert's private key goes to EAPTLS_PrivateKeyFile. The bundle goes into EAPTLS_CAFile. This should enable Radiator to send the clients its own cert and all required CA certificates. The bundle can also contain the root CA, but the intermediates should be enough. Best regards, Heikki
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
