[RADIATOR] GeoTrust intermediate CA Certs and Radiator

Heikki Vatiainen hvn at open.com.au
Sun Aug 14 15:14:00 CDT 2011


On 08/14/2011 10:37 PM, John Goubeaux wrote:

> I ended up putting the signed CERT and the two Intermediate certs (eg
> all 3 components)  in the *EAPTLS_CertificateChainFile
> *instead. This seems to be working OK as well.

Yes, that is one option too. Thanks for confirming it works.

Last time when I tested CertificateChainFile, I noticed the following:
- EAPTLS_CAFile must be defined and contain some certificate
- EAPTLS_CertificateChainFile must start with Radiator's cert. After
that the CA certs can be in any order.

In other words, CertificateChainFile seems to have requirements about
its contents and ordering of certs.

Heikki


> -john
> 
> On 8/14/2011 10:36 AM, Heikki Vatiainen wrote:
>> On 08/12/2011 12:07 AM, John Goubeaux wrote:
>>
>> Hello John,
>>
>>> Can I assume that the proper placement of GeoTrust Intermediate CA
>>> Certificates will be the same as the solution mentioned in an earlier
>>> thread regarding Thawte Intermediate certs ?  eg place them in the file
>>> called by the  "//EAPTLS_CAFile//"  directive ? Where bundle below is
>>> referring to the Intermediate certs provided by thawte.
>> Yes for the all questions above.
>>
>> A common configuration is to put all the CA certs in the EAPTLS_CAFile.
>> The Radiator's certificate goes into EAPTLS_CertificateFile and the
>> private key goes into EAPTLS_PrivateKeyFile. If the private key is
>> password protected, EAPTLS_PrivateKeyPassword has the password.
>>
>> Thanks!
>> Heikki
>>
>>> Thanks!    -john
>>>
>>> from :
>>> http://www.open.com.au/pipermail/radiator/2011-February/017094.html
>>>
>>>> /The path "/path/to/certs" can be anything. Some people use
>>> />//etc/radiator, /etc/radius or /etc/radiator/certs. In many cases
>>> it is
>>> />/the same directory where Radiator configuration lies.
>>> />/
>>> />/You mention "Radiator SSL cert from Thawte". This is what goes into
>>> />/EAPTLS_CertificateFile and the cert's private key goes to
>>> />/EAPTLS_PrivateKeyFile. The bundle goes into EAPTLS_CAFile.
>>> />/
>>> />/This should enable Radiator to send the clients its own cert and all
>>> />/required CA certificates. The bundle can also contain the root CA,
>>> but
>>> />/the intermediates should be enough.
>>> />/
>>> />/Best regards,
>>> />/Heikki
>>> /
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>
> 


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list