[RADIATOR] Thawte Intermediate Certificates and Windows 7

Adam Bishop Adam.Bishop at ja.net
Mon Feb 28 12:05:38 CST 2011 

If I remember correctly, there is no way to solve this without hitting
Group Policy or requiring manual user intervention.

The issue is that out of the box, Windows trusts no root certificates for
802.1x authentication, no matter who the root CA is.

If you want to encourage your users to not click buttons blindly, then you
could guide them through enabling the correct root certificate authority.

Screenshot of how the default trust settings for 802.1x on Win7
Look on my newish VM: http://db.tt/6QwqaXk

Adam Bishop
JANET(UK)


On 28/02/2011 17:43, "Bob Shafer" <bshafer at du.edu> wrote:

>Earlier in February, my colleague contacted the list concerning the use
>of Thawte intermediate certificates.
>
>He followed the instructions he received from Heikki, (see a copy of
>Heikki's message below my signature) and that seemed to resolve the
>issue.  At least for Mac's, older versions of Windows, various
>handhelds, Ipads, etc.
>
>However, when used with a Windows 7 client, users' get a pop up warning
>them that the certificate is not recognized and an opportunity, with a
>strongly worded warning, to accept it manually.
>
>If they don't accept it they get this error message:
>___________________________________________________________________
>Radius Server:           radius.du.edu
>Root CA:                 Thawte Primary Root CA
>
>The server "radius.du.edu" presented a valid certificate issued by
>"thawte Primary Root CA", but "thawte Primary Root CA" is not configured
>as a valid trust anchor for this profile.
>___________________________________________________________________
>
>If they do accept it, the connection is made, and they will not have to
>accept it again.
>
>However, as we keep telling our users, clicking through such warnings is
>*not* a good security practice and we'd like to not encourage this as an
>exception.
>
>Other clients that work report correctly that the certificate is issued
>by Thawte Premium Server CA as opposed to the Thawte Primary Root CA,
>and are as happy as clams.
>
>There are two intermediary certificates in the bundle, do we need to add
>the Root CA to the bundle as well?
>
>Or is there something else we're missing or doing incorrectly?
>
>Thank you for your help,
>
>Bob Shafer
>University of Denver
>
>On 02/16/2011 07:01 PM, Carl Gibbons wrote:
>
> > > I was given a file named SSL_CA_Bundle.pem containing intermediate
> > > certificates necessary for our new Radiator SSL cert from Thawte.
> > > What to do with these? Our installation is on RHEL5.
> > >
> > > I tried putting them in the .pem file specified by the
> > > EAPTLS_CertificateFile directive keyword in our config, but that
> > > didn't work. A colleague suggested they may need to go in
> > > /etc/pki/tls/certs/ca-bundle.crt, but I don't have the extra
> > > information about the intermediate certs that I see in that file.
>Do this:
>
>EAPTLS_CAFile /path/to/certs/SSL_CA_Bundle.pem
>EAPTLS_CertificateType PEM
>EAPTLS_CertificateFile /path/to/certs/server-cert.pem
>EAPTLS_PrivateKeyFile /path/to/certs/server-key.pem
># If the key is password protected
># EAPTLS_PrivateKeyPassword key-password
>
>The path "/path/to/certs" can be anything. Some people use
>/etc/radiator, /etc/radius or /etc/radiator/certs. In many cases it is
>the same directory where Radiator configuration lies.
>
>You mention "Radiator SSL cert from Thawte". This is what goes into
>EAPTLS_CertificateFile and the cert's private key goes to
>EAPTLS_PrivateKeyFile. The bundle goes into EAPTLS_CAFile.
>
>This should enable Radiator to send the clients its own cert and all
>required CA certificates. The bundle can also contain the root CA, but
>the intermediates should be enough.
>
>Best regards,
>Heikki
>
>
>
>
>
>
>
>_______________________________________________
>radiator mailing list
>radiator at open.com.au
>http://www.open.com.au/mailman/listinfo/radiator


JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG

More information about the radiator mailing list