How to actually do this isn't completely self-evident. Less so if you use multiple sub-CAs.
FreeRADIUS basically uses OpenSSL's routines and options for this. And OpenSSL doesn't currently refresh CRLs in a running process, so after updating a CRL you need to restart the freeradius daemon (easily scripted).
The important point in freeradius is in /etc/freeradius/eap.conf, specifically check_crl and CA_path in the tls section. Also, comment out CA_file, since CA_path and CA_file are intended for the same purposes, but CRLs only work with the CA_path method.
# Check the Certificate Revocation List # # 1) Copy CA certificates and CRLs to same directory. # 2) Execute 'c_rehashBe sure not to concatenate certificates in your CA_path. One CA, one file. Then, after the c_rehash, your directory should look something like this:'. # 'c_rehash' is OpenSSL's command. # 3) uncomment the line below. # 5) Restart radiusd check_crl = yes CA_path = /etc/freeradius/certs/CA/
root@radius:~# ls -l /etc/freeradius/certs/CA/ lrwxrwxrwx 1 root freerad 9 2012-04-26 03:15 12345678.0 -> local-sub-ca-1.pem lrwxrwxrwx 1 root freerad 13 2012-04-26 03:15 12345678.r0 -> sub-ca-1-crl.pem lrwxrwxrwx 1 root freerad 11 2012-04-26 03:15 23456789.0 -> local-root-ca.pem lrwxrwxrwx 1 root freerad 8 2012-04-26 03:15 3456789a.0 -> local-sub-ca-2.pem lrwxrwxrwx 1 root freerad 12 2012-04-26 03:15 3456789a.r0 -> sub-ca-2-crl.pem -rw-r--r-- 1 root freerad 1360 2012-04-24 15:04 local-root-ca.pem -rw-r--r-- 1 root freerad 1360 2012-04-24 15:06 local-sub-ca-1.pem -rw-r--r-- 1 root freerad 1384 2012-04-24 14:58 local-sub-ca-2.pem -rw-r--r-- 1 root freerad 1251 2012-04-26 03:15 sub-ca-1-crl.pem -rw-r--r-- 1 root freerad 739 2012-04-26 03:15 sub-ca-2-crl.pemThanks to Yasuhiro ABE for pointing me in the right direction. ありがとうございました、あべさん!それはよかったよ!
No comments:
Post a Comment