[RADIATOR] Thawte Intermediate Certificates and Windows 7

Bob Shafer bshafer at du.edu
Mon Feb 28 11:43:09 CST 2011 

Earlier in February, my colleague contacted the list concerning the use 
of Thawte intermediate certificates.

He followed the instructions he received from Heikki, (see a copy of 
Heikki's message below my signature) and that seemed to resolve the 
issue.  At least for Mac's, older versions of Windows, various 
handhelds, Ipads, etc.

However, when used with a Windows 7 client, users' get a pop up warning 
them that the certificate is not recognized and an opportunity, with a 
strongly worded warning, to accept it manually.

If they don't accept it they get this error message:
___________________________________________________________________
Radius Server:           radius.du.edu
Root CA:                 Thawte Primary Root CA

The server "radius.du.edu" presented a valid certificate issued by 
"thawte Primary Root CA", but "thawte Primary Root CA" is not configured 
as a valid trust anchor for this profile.
___________________________________________________________________

If they do accept it, the connection is made, and they will not have to 
accept it again.

However, as we keep telling our users, clicking through such warnings is 
*not* a good security practice and we'd like to not encourage this as an 
exception.

Other clients that work report correctly that the certificate is issued 
by Thawte Premium Server CA as opposed to the Thawte Primary Root CA, 
and are as happy as clams.

There are two intermediary certificates in the bundle, do we need to add 
the Root CA to the bundle as well?

Or is there something else we're missing or doing incorrectly?

Thank you for your help,

Bob Shafer
University of Denver

On 02/16/2011 07:01 PM, Carl Gibbons wrote:

 > > I was given a file named SSL_CA_Bundle.pem containing intermediate
 > > certificates necessary for our new Radiator SSL cert from Thawte.
 > > What to do with these? Our installation is on RHEL5.
 > >
 > > I tried putting them in the .pem file specified by the
 > > EAPTLS_CertificateFile directive keyword in our config, but that
 > > didn't work. A colleague suggested they may need to go in
 > > /etc/pki/tls/certs/ca-bundle.crt, but I don't have the extra
 > > information about the intermediate certs that I see in that file.
Do this:

EAPTLS_CAFile /path/to/certs/SSL_CA_Bundle.pem
EAPTLS_CertificateType PEM
EAPTLS_CertificateFile /path/to/certs/server-cert.pem
EAPTLS_PrivateKeyFile /path/to/certs/server-key.pem
# If the key is password protected
# EAPTLS_PrivateKeyPassword key-password

The path "/path/to/certs" can be anything. Some people use
/etc/radiator, /etc/radius or /etc/radiator/certs. In many cases it is
the same directory where Radiator configuration lies.

You mention "Radiator SSL cert from Thawte". This is what goes into
EAPTLS_CertificateFile and the cert's private key goes to
EAPTLS_PrivateKeyFile. The bundle goes into EAPTLS_CAFile.

This should enable Radiator to send the clients its own cert and all
required CA certificates. The bundle can also contain the root CA, but
the intermediates should be enough.

Best regards,
Heikki







-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5998 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.open.com.au/pipermail/radiator/attachments/20110228/83b428d1/attachment.bin

More information about the radiator mailing list