[RADIATOR] Trust client certificates of a specific issuing CA
Philip Brusten
philip.brusten at kuleuven.be
Wed Apr 19 14:17:00 UTC 2017
Hi
Assume you have a PKI like:
root CA
- intermediate CA 1
- issuing CA 1
- intermediate CA 2
- issuing CA 2
If you only want to trust endpoint certificates for EAP-TLS issued by
"issuing CA 2", would it be sufficient to *only* trust "issuing CA 2" in
EAPTLS_CAFile?
Or is it required to trust the entire chain: "root CA" + "intermediate
CA 2" + "issuing CA 2"?
If you do the latter and a supplicant device has a certificate issued by
"issuing CA 1" and sends its entire certificate chain up to the root CA
during the handshake, will it be validated as well?
The documentation
https://www.open.com.au/radiator/ref/EAPTLS_CAFile.html#EAPTLS_CAFile is
not entirely clear on that.
Kind regards,
Philip
More information about the radiator
mailing list