I'm currently facing an issue with my RADIUS server's EAP configuration and Apple devices. I'm using a certificate signed by "DigiCert Global Root G2", which is included in Apple's trusted store CA's (https://support.apple.com/en-us/105116).
However, DigiCert uses an intermediate authority, "DigiCert Global G2 TLS RSA SHA256 2020 CA1", to sign customer certificates, and this seems to be causing a problem. When an Apple device tries to connect to the WiFi, the RADIUS server presents its certificate, but the device doesn't trust it due to the untrusted intermediate certificate.
Here's my current configuration:
- Root CA in FreeRADIUS: "DigiCert Global Root G2"
- Server certificate in FreeRADIUS: "Intermediate + Server certificate"
I have also tried to extend the CA with the full chain, but since the final certificate is issued by the intermediate authority, my Apple devices continue to report that they don't trust the certificate.
Has anyone else experienced this issue and found a solution? It seems unlikely that DigiCert would sign certificates with their (presumably offline) root authority.
Any help or suggestions would be greatly appreciated. Thanks!