(RADIATOR) TTLS with intermediate certificates?

Jon Moore jonm at isc.upenn.edu
Wed Mar 16 13:59:29 CST 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We are using EAP-TTLS with Radiator, and when we went to renew our 
server SSL certificates, our CA (Thawte) told us they were changing the 
way they were generating certificates.

It used to be that we had a server cert signed by the Thawte Server CA 
(self-signed). Now the server cert is signed by the Thawte SGC CA, 
which is itself signed by the Verisign Class 3 Public Primary CA 
(whew). The Thawte SGC CA is not one of the trusted root CAs, but the 
Verisign is.

So it seems like I need to set my EAPTLS_CertificateFile to point to 
the new server cert. Do I point my EAPTLS_CAFile to a file containing 
the intermediate cert (Thawte SGC CA) or the root cert (the Verisign 
one)? If I'm doing TTLS, does the EAPTLS_CAFile even get used (since 
I'm not validating client certificates)?

Or does EAPTLS_CertificateFile need to point to a file containing both 
the server cert and the intermediate cert?

Our Windows 802.1x supplicants (Alfa & Ariss SecureW2 and Meetinghouse 
Aegis) seem to be getting hung up with validating the cert chain, 
although they both profess to support intermediate certificates, so I'm 
thinking we are not serving them up correctly from Radiator.

Confused,
Jon
- --
Jon Moore
ISC Networking & Telecommunications
University of Pennsylvania
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFCOJAlx8TaElR3qMMRAp5TAJ9tLB3GZZrKkSdToAtsLfx4+b7BJQCgpp5l
enCqbXvrc9ZKespDbtkgLaU=
=2ITS
-----END PGP SIGNATURE-----

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list