certificates confusion

[Craig White]

please excuse me if this isn't entirely related to freeradius but it's
all about getting WindowsXP laptops to my wireless network with
freeradius and 8021.x

I see that there is certificate failures and am thinking that I need to
clean this up

up until now, server2 is my ca and I have used that to generate and sign
certificates.

my radius server though is running on server1 and I think that my
failure is related to the fact that I'm generating the certificates and
signing them with server2.

So my questions...

1. Do I set up server1 to be its own CA or do I still use server2 as the
CA?

2. If server2 is the CA, do I then generate the request on server1, copy
it to server2 and then sign it on server2?

3. Does anyone see any problems with these methods of generating
certificates ? (openssl on Linux)

# Generate server certificate signing request
openssl req -new -nodes -keyout $SSL/radius_server_key.pem \
 -out $SSL/radius_server_req.pem \
 -days 730 \
 -config $SSL/openssl.cnf

# Sign server certificate
openssl ca -config $SSL/openssl.cnf \
 -policy policy_anything \
 -out radius_server_cert.pem \
 -extensions xpserver_ext \
 -extfile $SSL/xpextensions \
 -infiles $SSL/radius_server_req.pem

# Edit out text information in radius_server_cert.pem and then run
# cat $SSL/radius_server_key.pem \
# $SSL/radius_server_cert.pem > \
# $SSL/radius_server_keycert.pem

# Generate client certificates
#
openssl req -new -keyout $SSL/radius_client_key.pem \
 -out $SSL/radius_client_req.pem \
 -days 730 \
 -config $SSL/openssl.cnf

# Sign client certificates
openssl ca -config $SSL/openssl.cnf \
 -policy policy_anything \
 -out $SSL/radius_client_cert.pem \
 -extensions xpclient_ext \
 -extfile $SSL/xpextensions \
 -infiles $SSL/radius_client_req.pem
#
cat $SSL/radius_client_key.pem $SSL/radius_client_cert.pem >
$SSL/radius_client_keycert.pem

Thanks

Craig