[RADIATOR] Can't get chain certificates to work
David Zych
dmrz at illinois.edu
Thu Nov 4 14:32:45 CDT 2010
> EAPType TTLS
> EAPTLS_CertificateType PEM
> EAPTLS_CAFile %D/certificates/cert/thawte.Premium.Root.CA.pem
> EAPTLS_CertificateChainFile %D/certificates/cert/thawte.SSL123bundle.pem [enabled]
> EAPTLS_CertificateFile %D/certificates/cert/wirelesscert.pem
> EAPTLS_PrivateKeyFile %D/certificates/cert/thawtekey.pem
> EAPTLS_PrivateKeyPassword xxxx
>
> I get this error:
>
> Tue Nov 2 12:03:58 2010: ERR: TLS could not use_PrivateKey_file %D/certificates/cert/thawtekey.pem, 1: 23681: 1 - error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
I fought with this same issue and eventually discovered that the
Radiator documentation is misleading: including both an
EAPTLS_CertificateFile (for the server cert) and an
EAPTLS_CertificateChainFile (for the intermediate cert) does not work
because the underlying call to SSL_CTX_use_certificate_chain_file()
expects a *single* file that contains *all* of the necessary certs. The
error you're seeing now indicates that your private key doesn't match
the first cert in thawte.SSL123bundle.pem.
What you want to do is put them all in one file with yours on top:
cat wirelesscert.pem thawte.SSL123bundle.pem > fullchain.pem
and specify:
EAPTLS_CertificateChainFile %D/certificates/cert/fullchain.pem
(do not include an EAPTLS_CertificateFile directive)
Hope this helps.
David
More information about the radiator
mailing list