[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: Installing Third Part Certificate on FreeRadius
From: Jacob Dawson <dawson () vt ! edu>
Date: 2011-12-27 19:44:22
Message-ID: 8999C5E0-02A0-4FE5-90D3-9642F44C0DC5 () vt ! edu
[Download RAW message or body]
The extra info outside of the 'BEGIN CERTIFICATE' and 'END CERTIFICATE' lines is just \
extra, informative stuff you can get openssl to generate for you when you put \
together your file.
On further reflection, I believe I was mistaken. Looks like we stuff all the \
useful-to-freeradius certs in ca.pem (our server ca, our network access CA that signs \
all the certificates clients use to connect via TLS, etc), while the .crt file is \
where we put the actual service certificate and its pedigree. Makes sense, because I \
had some headaches learning about how FR varies in the way its cert is put together, \
namely, while I was handed the certificate and its chain in two separate files, like \
we use on some of our web servers, I had to cat them into a single cert file for FR, \
as opposed to stuffing the cert chain into ca.pem.
Good learning experience.
- Jacob
On 27 Dec 2011, at 14:16, McSparin, Joe wrote:
> I notice that the existing server.pem file contains the locality and
> organization name and so forth along with a local key id before it lists
> the cert chain. Is there something I need to do to generate this?
>
>
> Joseph R. McSparin
> Network Administrator
> Hill Country Memorial Hospital
> 830 990 6638 phone
> 830 990 6623 fax
> jmcsparin@hillcountrymemorial.org
>
> -----Original Message-----
> From:
> freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists.freerad
> ius.org
> [mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists
> .freeradius.org] On Behalf Of Jacob Dawson
> Sent: Tuesday, December 27, 2011 12:41 PM
> To: FreeRadius users mailing list
> Subject: Re: Installing Third Part Certificate on FreeRadius
>
> Yup, there's a difference. You'll want to put the cert chain in the pem
> file so that it's available for clients when you present your cert for
> the first time. Just put the cert all by itself in the crt file.
>
> I'm about to go swap them out on our systems, so I'll review to see if
> there was anything else odd about it.
>
> Jacob M. Dawson
> Network Research Engineer
> Virginia Tech
>
> On 27 Dec 2011, at 12:41, McSparin, Joe wrote:
>
> > I have a certificate called AddTrustExternalCARoot.crt that I would
> like to have FreeRadius start using. I know I need to change the
> eap.conf to look at the new cert however I was noticing that when the
> test certificates are created there is both a server.crt and server.pem.
> Is there a difference and do I need to do something to create a
> AddTrustExternalCARoot.pem file.
> >
> > Thanks,
> >
> > Joseph R. McSparin
> > Network Administrator
> > Hill Country Memorial Hospital
> > 830 990 6638 phone
> > 830 990 6623 fax
> > jmcsparin@hillcountrymemorial.org
> >
> >
> > This email message and any attachments are for the sole use of the
> intended recipient(s) and contain confidential and/or privileged
> information. Any unauthorized review, use, disclosure or distribution is
> prohibited. If you are not the intended recipient, please contact the
> sender by reply email and destroy all copies of the original message and
> any attachments.
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> --
> This email message and any attachments are for the sole use of the intended \
> recipient(s) and contain confidential and/or privileged information. Any \
> unauthorized review, use, disclosure or distribution is prohibited. If you are not \
> the intended recipient, please contact the sender by reply email and destroy all \
> copies of the original message and any attachments.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic