Yes, if the CA's are in a bundle set CA_file in eap.conf, if they are
individual in a directory set CA_path instead.

If you don't understand the above read some OpenSSL documentation,

man SSL_CTX_load_verify_locations

would be a good place to start.

John,

Thank you very much for the information! I will try it.

Regards,
Gina

-----Original Message-----
From: John Dennis [mailto:***@redhat.com]
Sent: Monday, June 21, 2010 11:20 AM
To: FreeRadius users mailing list
Cc: Zhang, Ge (Gina)
Subject: Re: Can freeradius support multiple client CA certificates?
Yes, if the CA's are in a bundle set CA_file in eap.conf, if they are individual in a directory set CA_path instead.

If you don't understand the above read some OpenSSL documentation,

man SSL_CTX_load_verify_locations

would be a good place to start.

--
John Dennis <***@redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

John,

Is it possible to support multiple sets of server certificates so that one group customer would use
one server CA file?

Thanks a lot!
Regards,
Gina Zhang

-----Original Message-----
From: freeradius-users-bounces+gina.zhang=alcatel-***@lists.freeradius.org [mailto:freeradius-users-bounces+gina.zhang=alcatel-***@lists.freeradius.org] On Behalf Of Zhang, Ge (Gina)
Sent: Monday, June 21, 2010 11:52 AM
To: John Dennis; FreeRadius users mailing list
Subject: RE: Can freeradius support multiple client CA certificates?

John,

Thank you very much for the information! I will try it.

Regards,
Gina

-----Original Message-----
From: John Dennis [mailto:***@redhat.com]
Sent: Monday, June 21, 2010 11:20 AM
To: FreeRadius users mailing list
Cc: Zhang, Ge (Gina)
Subject: Re: Can freeradius support multiple client CA certificates?
Yes, if the CA's are in a bundle set CA_file in eap.conf, if they are individual in a directory set CA_path instead.

If you don't understand the above read some OpenSSL documentation,

man SSL_CTX_load_verify_locations

would be a good place to start.

--
John Dennis <***@redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

This is a basic PKI question, not really FreeRADIUS. In PKI there can
only be one certificate per server. You would have to have different
servers with different names and addresses.

The purpose of a server certificate is to prove to the client the server
it is connecting to is really the server it expects and is not a man in
the middle attack.

There is no way to configure the server to present different
certificates based on which client is connecting and there really isn't
much point.

I'm not sure why you would want to do this.

John,

Thanks a lot for your response. If I configure multiple virtual server, would it be possible?

Thanks a lot,
Gina Zhang

-----Original Message-----
From: John Dennis [mailto:***@redhat.com]
Sent: Monday, June 21, 2010 12:34 PM
To: Zhang, Ge (Gina)
Cc: FreeRadius users mailing list
Subject: Re: Can freeradius support multiple client CA certificates?
This is a basic PKI question, not really FreeRADIUS. In PKI there can only be one certificate per server. You would have to have different servers with different names and addresses.

The purpose of a server certificate is to prove to the client the server it is connecting to is really the server it expects and is not a man in the middle attack.

There is no way to configure the server to present different certificates based on which client is connecting and there really isn't much point.

I'm not sure why you would want to do this.

--
John Dennis <***@redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

A (FreeRADIUS) virtual server does not have a different IP address nor
would it have different subject names nor subject alt names.

I'm not getting the feeling you understand how PKI works, it might be
worthwhile to read up on it.

John,

Thank you very much for your advise!

Regards,
Gina Zhang

-----Original Message-----
From: John Dennis [mailto:***@redhat.com]
Sent: Monday, June 21, 2010 1:54 PM
To: Zhang, Ge (Gina)
Cc: FreeRadius users mailing list
Subject: Re: Can freeradius support multiple client CA certificates?
A (FreeRADIUS) virtual server does not have a different IP address nor would it have different subject names nor subject alt names.

I'm not getting the feeling you understand how PKI works, it might be worthwhile to read up on it.

--
John Dennis <***@redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

When testing a new server certificate with a different chain to a new root CA, I set up a separate eap module with different certificates.

The two EAP modules were selected using the realm in the username -- ***@cam.ac.uk gave the normal certificates and ***@test.cam.ac.uk gave the new ones but used the same backend SQL lookup to find account information.

- Bob


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Bob,

Thank you so much for your help! I am going to try that on my system.

Regards,
Gina Zhang

-----Original Message-----
From: Robert Franklin [mailto:***@cam.ac.uk]
Sent: Monday, June 21, 2010 3:03 PM
To: FreeRadius users mailing list
Cc: Zhang, Ge (Gina)
Subject: Re: Can freeradius support multiple client CA certificates?
When testing a new server certificate with a different chain to a new root CA, I set up a separate eap module with different certificates.

The two EAP modules were selected using the realm in the username -- ***@cam.ac.uk gave the normal certificates and ***@test.cam.ac.uk gave the new ones but used the same backend SQL lookup to find account information.

- Bob


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Ah, good point and good suggestion. I had forgotten each module instance
has it's own SSL context.