CC3235S: CC3235S: Authenticate the CC3235s with an intermediate AND root CA to a RADIUS server_

Hi Marc,

As I explained previously, the ca file for enterprise connection should contain the root CA itself and not the entire chain.

The client gets the chain from the server and tests it against the root CA stored in the file system.

intermediate certificate should be left out. Can you modify and remove it from the file and retest?

Shlomi

Dear Shlomi

Many thanks for your response. We will test it with our customer with the root CA only in the ca.der file and get back to you.

Kind regards

Marc

thanks and please note that enterprise is supported with TLS1.0 only (some RADIUS servers deprecate it and mandate TLS1.2).

Shlomi

Dear Shlomi

Many thanks. Yes we are aware of the TLS1.0 limitation. I set the RADIUS server to accept TLS10 and it work great with the root certificates.

The problem is the intermediate certificates:

I did some tests and get the following messages:

Not sure what it means?

Here's the entire folder with all the scripts to generate the certificates and keys:

0 - createCA.bat

0 - createIntermediateCA.bat

1 - createCombinedClientServerCertificate.bat

CreateIntermediateEnterprise060525.zip

Can you have a look what I'm missing or doing wrong?

Many thanks

Marc

Hi,

Just to understand, why do you add the intermediate certificate and chain it with the root CA?

As I explained earlier, SL expects to have the root CA only and it checks it against the chain that it gets from the server.

Regards,

Shlomi  

Dear Shlomi

Thanks for your reponse.

Just to understand, why do you add the intermediate certificate and chain it with the root CA?:

In the ca for the CC3235 there is ONLY the root certificate, please check the folder 'CAClient 060525' I prepared:

However I get the error message. Can you let me know what I need to change?

Many thanks

Marc

Hi,

So it fails right after you send the client certificate.

According to the log in the server it says: "unsupported certificate purpose".

Not sure what it is exactly but when looking on the client certificate itself, it seems like the client certificate is of CA type and is self signed. I would expect it to be a regular (non CA) type of certificate and the issuer should be the root CA.

Regards,

Shlomi

Dear Shlomi

Many thanks. What I / our customer needs is a working ca, private key and certificate for the CC3235.

Can you please provide the openssl commands step by step you would use to create the ca, private key and certificate to work on a CC3235 for the case of intermediate certificates?

PS: The commands I used are in the 'bat' files as mentioned above in the zip folder provided, you can also tell me which commands I need to change there to get it to work.

Kind regards

Marc

Hi Marc,

I am on a business trip so it will be delayed but again, just to highlight what I mentioned, root CA is of CA type and is self signed. The client certificate can be chained but it should not be a CA type and should not include the CA certificate, just the chain up to and not including the root CA. The peer device then verifies the chain against the stored root CA. This is not the case with your certificate.

Regards,

Shlomi