In a nutshell, I'm trying to trust Microsoft certificate authority in our domain, so that the CA-issued certificates for our domain controllers will be trusted. The application I am trying to get working is FreeRadius, though I suspect that is beside the point.
Thusfar, reading and research says that I must:
- 1) Download the chain from the CA, and save in DER format, convert to PEM
2) Ensure the PEM from above is in /etc/pki/ca-trust/source/anchor
3) Run update-ca-trust
When I run radiusd in debug mode, it comes up saying:
To me this says that it's still not recognizing the issuing authority... which means I've probably done something wrong.TLS: certificate [CN=redactedservername] is not valid - error -8179: Peer's Certificate issuer is not recognized
When I run:
openssl s_client -connect redactedservername:636 | more
I see that:
- 1) The chain shows the certificate is issued by my intended CA
2) The "verify return code" is 0 (ok)
3) The read:errno is 104
Does anyone have any thoughts?