Re: EAP-TLS certificate question

On 1/17/07, kemas <k_henry@ramayana.co.id> wrote:
> I still confuse about certificate, is all client certificate created
> under 1 root ca, can be authenticated against freeradius that started
> with different server certificate?
>
> is it possible to set things like this
>
> root ca
> ------------
> / | \
> / | \
> / | \
> server1 server2 server3
> ------- ------- -------
> | | |
> | | |
> client1 client2 client3
>
> I don't want client1 to be authenticated against server2 or server3.
>

1. client certificates that are "under 1 root ca" are are accepted
with respect to the SSL/TLS side of things (other restrictions you
implement/configure notwithstanding). The 1 root ca would be the one
you tell the server to trust in CA_file. There might be even more as
one, which should then reside in a place referenced in CA_path.

2. the servers' certficates are accepted by the supplicant if _they_
trust the pertinent root ca.

3. All those root cas being identical is in no way mandatory, while
they might (often) be.

4. I'm not sure how to interpret your schema above. If construed to
mean that client certifcates have to be in some way issued from the
servers' certificates, that is wrong (as in "don't need to be") and
while perhaps technically possible, ill advised from the SSL/TLS point
of view.

Good starting points for further reading would be RFCs 2716 and 2246,
maybe documentation of openssl.

Regards
K. Hoercher
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html