On 06/09/2014 09:55 PM, Johnson, Neil M wrote:
> Should I be doing this:
>
> EAPTLS_CAFile
> %D/certificates/prod2017/net-auth-1_its_uiowa_edu.cer
> EAPTLS_CertificateFile
> %D/certificates/prod2017/net-auth-1_its_uiowa_edu_cert.cer
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile %D/certificates/prod2017/privateKey.key
> EAPTLS_PrivateKeyPassword <Secret>
I think this works the same as the other example below.
A thing to note seems to be that with CertificateChainFile the server
certificate must be the first certificate, just like you have.
I think the difference between CAFile and CertificateChainFile becomes
important when client certificate is required. For example, with EAP-TLS
the clients may have a different root CA than the server does. In this
case you'd specify the server side certificates with
CertificateChainFile and the client side with CAFile.
> Or should I be doing this:
>
> EAPTLS_CertificateChainFile
> %D/certificates/prod2017/net-auth-1_its_uiowa_edu.cer
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile %D/certificates/prod2017/privateKey.key
> EAPTLS_PrivateKeyPassword <Secret>
>
> Where:
> File: net-auth-1_its_uiowa_edu_cert just contains the Server Certificate
> and
> File: net-auth-1_its_uiowa_edu.cer contains a chain of certificates starting
> with the server certificate, followed by an intermediate certificate, and
> then finally the CA certificate.
Thanks,
Heikki
--
Heikki Vatiainen <h...@open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
