[RADIATOR] Thawte Intermediate Certificates and Windows 7

Andrew Clark adc at umn.edu
Mon Feb 28 11:48:37 CST 2011 

I've had a lot of fun with some Windows clients not showing particular CAs
(AddTrust External CA Root, in my case) in the list of recognized
certification authorities within the Windows 802.1X supplicant
configuration.
What's really frustrating is that the client must know about that particular
CA, as it will happily connect to an https site that has a certificate
signed by the same CA.  Usually that root will show up in the supplicant's
list of recognized CAs after visiting an https site signed by that root.  If
that fails, we've had the client manually install the root.

-- 
Andrew D. Clark
Network Operations Engineer
University of Minnesota, Networking/Telecom Services
2218 University Ave SE
Minneapolis, MN 55414-3029
Phone: 612-626-4880

On Mon, Feb 28, 2011 at 5:43 PM, Bob Shafer <bshafer at du.edu> wrote:

> Earlier in February, my colleague contacted the list concerning the use of
> Thawte intermediate certificates.
>
> He followed the instructions he received from Heikki, (see a copy of
> Heikki's message below my signature) and that seemed to resolve the issue.
>  At least for Mac's, older versions of Windows, various handhelds, Ipads,
> etc.
>
> However, when used with a Windows 7 client, users' get a pop up warning
> them that the certificate is not recognized and an opportunity, with a
> strongly worded warning, to accept it manually.
>
> If they don't accept it they get this error message:
> ___________________________________________________________________
> Radius Server:           radius.du.edu
> Root CA:                 Thawte Primary Root CA
>
> The server "radius.du.edu" presented a valid certificate issued by "thawte
> Primary Root CA", but "thawte Primary Root CA" is not configured as a valid
> trust anchor for this profile.
> ___________________________________________________________________
>
> If they do accept it, the connection is made, and they will not have to
> accept it again.
>
> However, as we keep telling our users, clicking through such warnings is
> *not* a good security practice and we'd like to not encourage this as an
> exception.
>
> Other clients that work report correctly that the certificate is issued by
> Thawte Premium Server CA as opposed to the Thawte Primary Root CA, and are
> as happy as clams.
>
> There are two intermediary certificates in the bundle, do we need to add
> the Root CA to the bundle as well?
>
> Or is there something else we're missing or doing incorrectly?
>
> Thank you for your help,
>
> Bob Shafer
> University of Denver
>
> On 02/16/2011 07:01 PM, Carl Gibbons wrote:
>
> > > I was given a file named SSL_CA_Bundle.pem containing intermediate
> > > certificates necessary for our new Radiator SSL cert from Thawte.
> > > What to do with these? Our installation is on RHEL5.
> > >
> > > I tried putting them in the .pem file specified by the
> > > EAPTLS_CertificateFile directive keyword in our config, but that
> > > didn't work. A colleague suggested they may need to go in
> > > /etc/pki/tls/certs/ca-bundle.crt, but I don't have the extra
> > > information about the intermediate certs that I see in that file.
> Do this:
>
> EAPTLS_CAFile /path/to/certs/SSL_CA_Bundle.pem
> EAPTLS_CertificateType PEM
> EAPTLS_CertificateFile /path/to/certs/server-cert.pem
> EAPTLS_PrivateKeyFile /path/to/certs/server-key.pem
> # If the key is password protected
> # EAPTLS_PrivateKeyPassword key-password
>
> The path "/path/to/certs" can be anything. Some people use
> /etc/radiator, /etc/radius or /etc/radiator/certs. In many cases it is
> the same directory where Radiator configuration lies.
>
> You mention "Radiator SSL cert from Thawte". This is what goes into
> EAPTLS_CertificateFile and the cert's private key goes to
> EAPTLS_PrivateKeyFile. The bundle goes into EAPTLS_CAFile.
>
> This should enable Radiator to send the clients its own cert and all
> required CA certificates. The bundle can also contain the root CA, but
> the intermediates should be enough.
>
> Best regards,
> Heikki
>
>
>
>
>
>
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20110228/f5c02177/attachment-0001.html

More information about the radiator mailing list