[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: Installing Third Part Certificate on FreeRadius
From:       Jacob Dawson <dawson () vt ! edu>
Date:       2011-12-27 19:44:22
Message-ID: 8999C5E0-02A0-4FE5-90D3-9642F44C0DC5 () vt ! edu
[Download RAW message or body]

The extra info outside of the 'BEGIN CERTIFICATE' and 'END CERTIFICATE' lines is just \
extra, informative stuff you can get openssl to generate for you when you put \
together your file.

On further reflection, I believe I was mistaken.  Looks like we stuff all the \
useful-to-freeradius certs in ca.pem (our server ca, our network access CA that signs \
all the certificates clients use to connect via TLS, etc), while the .crt file is \
where we put the actual service certificate and its pedigree.  Makes sense, because I \
had some headaches learning about how FR varies in the way its cert is put together, \
namely, while I was handed the certificate and its chain in two separate files, like \
we use on some of our web servers, I had to cat them into a single cert file for FR, \
as opposed to stuffing the cert chain into ca.pem.

Good learning experience.
- Jacob
On 27 Dec 2011, at 14:16, McSparin, Joe wrote:

> I notice that the existing server.pem file contains the locality and
> organization name and so forth along with a local key id before it lists
> the cert chain.  Is there something I need to do to generate this? 
> 
> 
> Joseph R. McSparin
> Network Administrator
> Hill Country Memorial Hospital
> 830 990 6638 phone
> 830 990 6623 fax
> jmcsparin@hillcountrymemorial.org
> 
> -----Original Message-----
> From:
> freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists.freerad
> ius.org
> [mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists
> .freeradius.org] On Behalf Of Jacob Dawson
> Sent: Tuesday, December 27, 2011 12:41 PM
> To: FreeRadius users mailing list
> Subject: Re: Installing Third Part Certificate on FreeRadius
> 
> Yup, there's a difference.  You'll want to put the cert chain in the pem
> file so that it's available for clients when you present your cert for
> the first time.  Just put the cert all by itself in the crt file.
> 
> I'm about to go swap them out on our systems, so I'll review to see if
> there was anything else odd about it.
> 
> Jacob M. Dawson
> Network Research Engineer
> Virginia Tech
> 
> On 27 Dec 2011, at 12:41, McSparin, Joe wrote:
> 
> > I have a certificate called AddTrustExternalCARoot.crt that I would
> like to have FreeRadius start using.  I know I need to change the
> eap.conf to look at the new cert however I was noticing that when the
> test certificates are created there is both a server.crt and server.pem.
> Is there a difference and do I need to do something to create a
> AddTrustExternalCARoot.pem file.
> > 
> > Thanks,
> > 
> > Joseph R. McSparin
> > Network Administrator
> > Hill Country Memorial Hospital
> > 830 990 6638 phone
> > 830 990 6623 fax
> > jmcsparin@hillcountrymemorial.org
> > 
> > 
> > This email message and any attachments are for the sole use of the
> intended recipient(s) and contain confidential and/or privileged
> information. Any unauthorized review, use, disclosure or distribution is
> prohibited. If you are not the intended recipient, please contact the
> sender by reply email and destroy all copies of the original message and
> any attachments.
> > 
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> -- 
> This email message and any attachments are for the sole use of the intended \
> recipient(s) and contain confidential and/or privileged information. Any \
> unauthorized review, use, disclosure or distribution is prohibited. If you are not \
> the intended recipient, please contact the sender by reply email and destroy all \
> copies of the original message and any attachments. 
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]