Issuing certificates with a Windows CA for PEAP auth

Hector.Ortiz at swisscom.com Hector.Ortiz at swisscom.com
Fri Oct 20 18:00:02 CEST 2006


When generating certificates for use by FreeRadius EAP-TLS, there is an extension which is to be added to the certificate in order for the client to be able to validate the certificate against a root CA certificate. If such extension is not present in your FreeRadius certificate, the auth process will fail, because the client will stop communicating with your server due that it can't validate your cert. Some people would say that it is better to have EAP-TTLS, but sometimes it is not easy to deploy such a PKI. If you want to use EAP-TLS and if you happen to have your CA running on a Winbugs box, then this might be of help. We are going to generate a request using openssl and issue the certificate with winbugs with the extension needed embeded into the cert file.

There are two ways of doing this. For either of them, you need to have openssl installed in the computer where your freeradius server is and a Certification Authority running on a Winbugs box.

The first way, and the best one, is as follows:

>From the computer where your freeradius is, you generate a request and a private key by: 

   shell:~ # openssl req -new -nodes -keyout mykey.pem -out server.csr

The challenge password is important because it'll be used in the freeradius configuration
The file mykey.pem is the private key. Copy this file to /usr/local/etc/raddb/certs
   
   shell:~ # cp mykey.pem /usr/local/etc/raddb/certs

server.csr is the certificate request. Copy this file to the computer where you CA is.
Then, let's feed this request into your Winbugs CA. Open a command prompt window and type 

   C:\>certreq -submit server.csr

A window will popup asking you to select the CA where your request is to be submited to. Select the one that you own.
This will give you a RequestID. This number is important because it'll be used for the next part.

When a client uses PEAP-EAP-MS-Challenge Handshake Authentication Protocol (CHAP) version 2 authentication, PEAP with EAP-TLS authentication, or EAP-TLS authentication, Microsoft specifies that certificates must have the "Enhanced Key Usage" attribute with the value "Server Authentication" (OID 1.3.6.1.5.5.7.3.1).
[Ref.: http://support.microsoft.com/kb/814394/en-us]

Since the certificate request generated in openssl according to the procedure above does not provide this attribute, it is necessary to add it to the pending request with the Windows CLI command "certutil".

The general syntax is

   C:\>certutil -setextension RequestID ExtensionOID Flags @InFile

- The OID for the attribute "Enhanced Key Usage" is : 2.5.29.37
- The flag value is set to 0.
- Create an input text file "eku.txt" :
  
  C:\>echo 30 0a 06 08 2b 06 01 05  05 07 03 01 > eku.txt

Finally, run the following command :

   C:\>certutil -setextension RequestID 2.5.29.37 0 @eku.txt

[Comment: to discover the OID of an attribute, it is possible to dump the contents of an existing valid certificate containing the needed attribute with : certutil -v certfile.cer
Ref.: http://technet2.microsoft.com/WindowsServer/en/library/165ee684-1c3a-4cc1-9c5b-0bc1ec1e710a1033.mspx?mfr=true]

Then, open your Certification Authority application, go to "Pending request", right click on the one you modified (RequestID), "All tasks"->"Issue"
Go to "Issued certificates" and double-click on the one you just issued (RequestID).
A window will open displaying cert's info. Go to the tab "Details" and check that the field "Enhanced Key Usage" is present and its value is "Server Authentication (1.3.6.1.5.5.7.3.1)". Click on the button "Copy to file..." and save it as either DER encoded or Base-64 encoded, give a filename (let's call it certificate for now) and finish the wizard. This will give you a file "certificate.cer". Copy this file to your freeradius server in /usr/local/etc/raddb/certs

   shell:~ # cd /usr/local/etc/raddb/certs

If you exported the certificate as DER encoded there is a final step you have to perform.
We need to convert this file to a format FreeRadius can understand. So, now type:

   shell:/usr/local/etc/raddb/certs # openssl x509 -inform DER -in certificate.cer -outform PEM -out certificate.pem

If the certificate is Base-64 encoded, then just rename the file (this step is optional, it's just to be consistent with the eap.conf file at the end of this file).

   shell:/usr/local/etc/raddb/certs # mv certificate.cer certificate.pem

Get your CA certificate, and put it in /usr/local/etc/raddb/certs. Suppose that your CA certificate is DER enconded in a file named ca.cer, then your convert it to PEM by 

   shell:~ # openssl x509 -inform DER -in ca.cer -outform PEM -out ca.pem
   shell:~ # cp ca.pem /usr/local/etc/raddb/certs

Now edit your eap.conf file and you are done. A sample eap.conf is at the end of this guide.
Configure your clients to use PEAP, check the checkbox "Validate server certificate" and select your Trusted Root Certification Authority from the list.




The second way of doing this, which is not very neat, is as follows:


>From the computer where your freeradius is, you generate a request and a private key by: 

   shell:~ # openssl req -new -nodes -keyout mykey.pem -out server.csr

The challenge password is important because it'll be used in the freeradius configuration
The file mykey.pem is the private key. Copy this file to /usr/local/etc/raddb/certs
   
   shell:~ # cp mykey.pem /usr/local/etc/raddb/certs

Then, from the computer where your CA authority is, open a Command prompt window and type:

   C:\>certutil -backup directory

It will prompt you for the password for your private key and will generate a backup of your CA private and public key inside the directory "directory". Let's say that your password is "password".
Then, go to "directory"

   C:\>cd directory
   
And copy the file "Certification Authority.p12" to the computer where your FreeRadius is. This file contains both your CA's private and public keys. Then, from your freeradius computer, you need to convert this file to a format more "manageable".

   shell:~ # openssl pkcs12 -in "Certification Authority.p12" -out ca.pem

Then, you need to modify your /etc/ssl/openssl.cnf file. Locate the section [ CA_default ] and modify the lines certificate and private_key, so they point to the file you generated in the last step. Those lines should look like:

certificate	= /root/ca.pem
private_key	= /root/ca.pem

Once you have finished doing these changes, then create a file called xpextensions with the following contents:

[ xpserver_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1

This is required to add the extension needed for your certificate. Then

   shell:~ # openssl ca -policy policy_anything -out certificate.pem -passin pass:password -key password -extensions xpserver_ext -extfile xpextensions -infiles server.csr

Delete the file server.csr

   shell:~ # rm server.csr

And copy the files ca.pem and certificate.pem to /usr/local/etc/raddb/certs

   shell:~ # cp ca.pem certificate.pem /usr/local/etc/raddb/certs

It is preferable to delete all info about the private key from the file ca.pem, but it is up to you.
Now edit your eap.conf file and you are done. A sample eap.conf is at the end of this guide.
Configure your clients to use PEAP, check the checkbox "Validate server certificate" and select your Trusted Root Certification Authority from the list.

SAMPLE EAP.CONF
eap {
                default_eap_type = peap
                timer_expire     = 60
                ignore_unknown_eap_types = no
                cisco_accounting_username_bug = no

                tls {
                        private_key_password = #The challenge password you have chosen when you generated your private key
                        private_key_file = ${raddbdir}/certs/mykey.pem
                        certificate_file = ${raddbdir}/certs/certificate.pem
                        CA_file = ${raddbdir}/certs/ca.pem
                        dh_file = ${raddbdir}/certs/dh
                        random_file = /dev/urandom
                        fragment_size = 1024
                        include_length = yes
                }
                peap {
                        default_eap_type = mschapv2
                }
                mschapv2 {
                }
        }




More information about the Freeradius-Users mailing list