diff -Naurp freeradius-server-3.0.11/raddb/mods-available/eap freeradius-server-3.0.11.oden/raddb/mods-available/eap --- freeradius-server-3.0.11/raddb/mods-available/eap 2016-01-25 19:27:03.000000000 +0100 +++ freeradius-server-3.0.11.oden/raddb/mods-available/eap 2016-02-28 13:12:54.776031462 +0100 @@ -170,8 +170,8 @@ eap { # ANYONE who has a certificate signed by them can # authenticate via EAP-TLS! This is likely not what you want. tls-config tls-common { - private_key_password = whatever - private_key_file = ${certdir}/server.pem + private_key_password = + private_key_file = ${system_ssldir}/private/radiusd.pem # If Private key & Certificate are located in # the same file, then private_key_file & @@ -183,7 +183,7 @@ eap { # only the server certificate, but ALSO all # of the CA certificates used to sign the # server certificate. - certificate_file = ${certdir}/server.pem + certificate_file = ${system_ssldir}/certs/radiusd.pem # Trusted Root CA list # @@ -195,7 +195,7 @@ eap { # In that case, this CA file should contain # *one* CA certificate. # - ca_file = ${cadir}/ca.pem + ca_file = ${system_ssldir}/certs/ca-bundle.crt # OpenSSL will automatically create certificate chains, # unless we tell it to not do that. The problem is that @@ -236,7 +236,7 @@ eap { # # openssl dhparam -out certs/dh 2048 # - dh_file = ${certdir}/dh + dh_file = ${local_ssldir}/dh # # If your system doesn't have /dev/urandom, @@ -283,7 +283,7 @@ eap { # Check if intermediate CAs have been revoked. # check_all_crl = yes - ca_path = ${cadir} + ca_path = ${local_ssldir} # # If check_cert_issuer is set, the value will diff -Naurp freeradius-server-3.0.11/raddb/mods-available/inner-eap freeradius-server-3.0.11.oden/raddb/mods-available/inner-eap --- freeradius-server-3.0.11/raddb/mods-available/inner-eap 2016-01-25 19:27:03.000000000 +0100 +++ freeradius-server-3.0.11.oden/raddb/mods-available/inner-eap 2016-02-28 13:12:54.776031462 +0100 @@ -49,8 +49,8 @@ eap inner-eap { # It might work, or it might not. # tls { - private_key_password = whatever - private_key_file = ${certdir}/inner-server.pem + private_key_password = + private_key_file = ${system_ssldir}/private/inner-radiusd.pem # If Private key & Certificate are located in # the same file, then private_key_file & @@ -62,11 +62,11 @@ eap inner-eap { # only the server certificate, but ALSO all # of the CA certificates used to sign the # server certificate. - certificate_file = ${certdir}/inner-server.pem + certificate_file = ${system_ssldir}/private/inner-radiusd.pem # You may want different CAs for inner and outer # certificates. If so, edit this file. - ca_file = ${cadir}/ca.pem + ca_file = ${system_ssldir}/certs/ca-bundle.crt cipher_list = "DEFAULT" @@ -78,7 +78,7 @@ eap inner-eap { # fragment_size = 1024 # Other needful things - dh_file = ${certdir}/dh + dh_file = ${local_ssldir}/dh random_file = /dev/urandom # CRL and OCSP things go here. See the main "eap" diff -Naurp freeradius-server-3.0.11/raddb/mods-available/ldap freeradius-server-3.0.11.oden/raddb/mods-available/ldap --- freeradius-server-3.0.11/raddb/mods-available/ldap 2016-01-25 19:27:03.000000000 +0100 +++ freeradius-server-3.0.11.oden/raddb/mods-available/ldap 2016-02-28 13:12:54.776031462 +0100 @@ -486,11 +486,11 @@ ldap { # using ldaps (port 636) connections # start_tls = yes -# ca_file = ${certdir}/cacert.pem +# ca_file = ${system_ssldir}/certs/ca-bundle.crt -# ca_path = ${certdir} -# certificate_file = /path/to/radius.crt -# private_key_file = /path/to/radius.key +# ca_path = ${local_ssldir} +# certificate_file = ${system_ssldir}/certs/radiusd.pem +# private_key_file = ${system_ssldir}/private/radiusd.key # random_file = /dev/urandom # Certificate Verification requirements. Can be: diff -Naurp freeradius-server-3.0.11/raddb/mods-available/rest freeradius-server-3.0.11.oden/raddb/mods-available/rest --- freeradius-server-3.0.11/raddb/mods-available/rest 2016-01-25 19:27:03.000000000 +0100 +++ freeradius-server-3.0.11.oden/raddb/mods-available/rest 2016-02-28 13:12:54.776031462 +0100 @@ -5,12 +5,12 @@ rest { # server. # tls { -# ca_file = ${certdir}/cacert.pem -# ca_path = ${certdir} +# ca_file = ${system_ssldir}/certs/ca-bundle.crt +# ca_path = ${local_ssldir} -# certificate_file = /path/to/radius.crt -# private_key_file = /path/to/radius.key -# private_key_password = "supersecret" +# certificate_file = ${system_ssldir}/certs/radiusd.pem +# private_key_file = ${system_ssldir}/private/radiusd.pem +# private_key_password = # random_file = /dev/urandom # Server certificate verification requirements. Can be: diff -Naurp freeradius-server-3.0.11/raddb/radiusd.conf.in freeradius-server-3.0.11.oden/raddb/radiusd.conf.in --- freeradius-server-3.0.11/raddb/radiusd.conf.in 2016-01-25 19:27:03.000000000 +0100 +++ freeradius-server-3.0.11.oden/raddb/radiusd.conf.in 2016-02-28 13:12:54.776031462 +0100 @@ -66,8 +66,8 @@ name = radiusd # Location of config and logfiles. confdir = ${raddbdir} modconfdir = ${confdir}/mods-config -certdir = ${confdir}/certs -cadir = ${confdir}/certs +system_ssldir = /etc/pki/tls +local_ssldir = ${confdir}/certs run_dir = ${localstatedir}/run/${name} # Should likely be ${localstatedir}/lib/radiusd diff -Naurp freeradius-server-3.0.11/raddb/sites-available/abfab-tls freeradius-server-3.0.11.oden/raddb/sites-available/abfab-tls --- freeradius-server-3.0.11/raddb/sites-available/abfab-tls 2016-01-25 19:27:03.000000000 +0100 +++ freeradius-server-3.0.11.oden/raddb/sites-available/abfab-tls 2016-02-28 13:12:54.776031462 +0100 @@ -10,15 +10,15 @@ listen { proto = tcp tls { - private_key_password = whatever + private_key_password = # Moonshot tends to distribute certs separate from keys - private_key_file = ${certdir}/server.key - certificate_file = ${certdir}/server.pem - ca_file = ${cadir}/ca.pem - dh_file = ${certdir}/dh + private_key_file = ${system_ssldir}/private/radiusd.key + certificate_file = ${system_ssldir}/certs/radiusd.pem + ca_file = ${system_ssldir}/certs/ca-bundle.crt + dh_file = ${local_ssldir}/dh fragment_size = 8192 - ca_path = ${cadir} + ca_path = ${local_ssldir} cipher_list = "DEFAULT" cache { diff -Naurp freeradius-server-3.0.11/raddb/sites-available/tls freeradius-server-3.0.11.oden/raddb/sites-available/tls --- freeradius-server-3.0.11/raddb/sites-available/tls 2016-01-25 19:27:03.000000000 +0100 +++ freeradius-server-3.0.11.oden/raddb/sites-available/tls 2016-02-28 13:12:54.776031462 +0100 @@ -81,8 +81,8 @@ listen { # to refer to the "site1" sub-section of the "tls" section. # tls { - private_key_password = whatever - private_key_file = ${certdir}/server.pem + private_key_password = + private_key_file = ${system_ssldir}/private/radiusd.pem # If Private key & Certificate are located in # the same file, then private_key_file & @@ -94,7 +94,7 @@ listen { # only the server certificate, but ALSO all # of the CA certificates used to sign the # server certificate. - certificate_file = ${certdir}/server.pem + certificate_file = ${system_ssldir}/certs/radiusd.pem # Trusted Root CA list # @@ -111,7 +111,7 @@ listen { # not use client certificates, and you do not want # to permit EAP-TLS authentication, then delete # this configuration item. - ca_file = ${cadir}/ca.pem + ca_file = ${system_ssldir}/certs/ca-bundle.crt # # For DH cipher suites to work, you have to @@ -119,7 +119,7 @@ listen { # # openssl dhparam -out certs/dh 1024 # - dh_file = ${certdir}/dh + dh_file = ${local_ssldir}/dh # # If your system doesn't have /dev/urandom, @@ -160,7 +160,7 @@ listen { # 3) uncomment the line below. # 5) Restart radiusd # check_crl = yes - ca_path = ${cadir} + ca_path = ${local_ssldir} # # If check_cert_issuer is set, the value will @@ -376,8 +376,8 @@ home_server tls { status_check = none tls { - private_key_password = whatever - private_key_file = ${certdir}/client.pem + private_key_password = + private_key_file = ${system_ssldir}/private/client.pem # If Private key & Certificate are located in # the same file, then private_key_file & @@ -389,7 +389,7 @@ home_server tls { # only the server certificate, but ALSO all # of the CA certificates used to sign the # server certificate. - certificate_file = ${certdir}/client.pem + certificate_file = ${system_ssldir}/certs/client.pem # Trusted Root CA list # @@ -406,7 +406,7 @@ home_server tls { # not use client certificates, and you do not want # to permit EAP-TLS authentication, then delete # this configuration item. - ca_file = ${cadir}/ca.pem + ca_file = ${system_ssldir}/certs/ca-bundle.crt # # For TLS-PSK, the key should be specified @@ -428,7 +428,7 @@ home_server tls { # # openssl dhparam -out certs/dh 1024 # - dh_file = ${certdir}/dh + dh_file = ${local_ssldir}/dh random_file = /dev/urandom # @@ -456,7 +456,7 @@ home_server tls { # 3) uncomment the line below. # 5) Restart radiusd # check_crl = yes - ca_path = ${cadir} + ca_path = ${local_ssldir} # # If check_cert_issuer is set, the value will