Different root CA for wpa_supplicant and freeradius

Jouni Malinen j
Tue Jan 29 17:53:58 PST 2008

On Tue, Jan 29, 2008 at 11:07:57AM +0100, Carolin Latze wrote:

> I plan to use different root CAs for the authentication server
> (freeradius) and the peers (wpa_supplicant) in EAP-TLS. The reason is
> that I use a TPM on the client side, which retrieves certificates from a
> special CA (a so called Privacy CA), but I don't use a TPM on the server
> side. Both are valid X509 certificates, so it should be possible to
> authenticate each other. What do you think? Are there any implementation
> issues, which forbid such a setup?

Who issues the Privacy CA certificate? The authentication server would
need to bet configured to trust either the Privacy CA or its issuer (or
another CA continuing on that path, if there are more). It would also be
useful to make sure that the authentication server is configured with
the full CA chain for its own certificate. Likewise, the EAP-TLS peer
will need to be configured with the trusted CA(s) to allow it to
authenticate the server and to include any possible intermediate CAs in
the TLS handshake, if needed.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list