Multiple radius servers with the same CA

Wed Mar 24 16:13:07 CET 2010

Matt Harlum wrote:
> 
> Hi,
> 
> John covered pretty much everything I was going to say
> 
> I'd recommend choosing a machine to generate your keys and certs on and
> sticking with that, otherwise you'll end up with SSL Certs with clashing
> serial numbers 
> Plus it'll allow you to revoke certificates later if need be
> 
> 
> Regards,
> Matt Harlum
> 
> On 24/03/2010, at 11:30 PM, John Dennis wrote:
> 
>> On 03/24/2010 06:21 AM, sphaero wrote:
>>> 
>>> Hi All,
>>> 
>>> I've been searching the archives for a while on some guidance into
>>> setting
>>> up multiple radius servers using the same CA for use with EAP/TTLS.
>>> 
>>> I've generated a CA which is distributed to all the clients (i.e.
>>> SecureW2).
>>> I've got 2 radius servers for redundancy. All NAS devices have two
>>> radius
>>> server configured.
>>> 
>>> I'm using the scripts from freeradius 2.0 to generate the certificates
>>> according to instructions in the README. I've setup the ca.cnf and
>>> server.cnf (not using eap/tls so I skip clients.cf).
>>> 
>>> On the primary radius server I generated the certificates by issuing:
>>> make
>>> 
>>> Now on the second radius server I just copy the following files:
>>> /certs/ca.pem
>>> /certs/ca.key
>>> /certs/ca.der
>>> /certs/*.cnf
>>> /certs/Makefile
>>> /certs/README
>>> /certs/xpextensions
>>> 
>>> and issue:
>>> make server
>>> make dh
>>> 
>>> This seems to have worked. But is this really correct?
>>> I'm renewing one radius server and did this procedure again but now I'm
>>> receiving "chain could not be validated" errors in SecureW2. Radius log
>>> seems fine however EAP communication is not finished which corresponds
>>> with
>>> the client stopping communication since it can't validate the
>>> certificate.
>>> I'm really getting lost in the SSL jungle? I would really like to
>>> understand
>>> how this is done right, since it is about security.
>> 
>> It would help to read the Makefile and understand it. Your goal is to
>> produce multiple certificates, each with a unique subject (e.g. the host
>> name of the radius server) and have it signed by the ca. There is no need
>> to do this process on each machine, the creation of certs can be done on
>> any machine.
>> 
>> Find the part of the Makefile which says this:
>> 
>> "Create a new server certificate, signed by the above CA."
>> 
>> If you make the target server.pem target (e.g. make server) it will cause
>> the Makefile to execute a series of commands to produce the certificate
>> starting with a CSR (Certificate Signing Request). Note, the server.csr
>> target depends on server.cnf so make sure you edit this for each server
>> whose certificate you want to generate (see the req(1) man page to
>> understand how the certificate subject, e.g. DN, may be specified).
>> 
>> But also note in the Makefile that server.crt is dependent on ca.key and
>> ca.pem, which themselves are dependent on ca.cnf. If when you copy the
>> files the ca.cnf file ends up with a newer timestamp than ca.key or
>> ca.pem then a new ca will be created, you don't want that. You can either
>> fix the timestamps using touch or just make all the certs on one machine
>> so you don't have to worry about the ca being recreated.
>> 
>> 
>> After you've created your certificates on the one machine (don't foget to
>> rename the server.{crt,p12,pem} files) dump them out using
>> 
>> openssl x509 -in XXX.pem -inform PEM -text
>> 
>> and verify each has the certificate subject you expected.
>> 
>> Then verify the each cert with:
>> 
>> openssl verify -CAfile ca.pem XXX.pem
>> 
>> If that succeeds you'll know each is successfully signed by the same ca
>> and you can distribute that ca to your clients. Then copy your server
>> certs to your RADIUS hosts, don't forget to edit the config so
>> certificate names match how you named your certs (it will no longer be
>> server.{crt,p12,pem}.
>> -- 
>> John Dennis <jdennis at redhat.com>
>> 
>> Looking to carve out IT costs?
>> www.redhat.com/carveoutcosts/
>> -
> 
> 

Hi all,

Thanks for these clarifications. So to clear this up I know have one machine
to generate the certificates. This machine had it's CA setup according to
instructions found in the certs/README distributed with FR 2.

Certificates for a second radius server (radius2) using the same CA are
generated as follow:

# Certificate request (.csr) en key (.key)
openssl req -new  -out radius2.csr -keyout lx0008.key -config ./server.cnf
# Certificate (.crt)
openssl ca -batch -keyfile ca.key -cert ca.pem -in radius2.csr  -key
$PASSWORD_CA -out radius2.crt -extensions xpserver_ext -extfile xpextensions
-config ./server.cnf
# p12
openssl pkcs12 -export -in radius2.crt -inkey radius2.key -out radius2.p12 
-passin pass:$PASSWORD_SERVER -passout pass:$PASSWORD_SERVER
# PEM
openssl pkcs12 -in radius2.p12 -out radius2.pem -passin
pass:$PASSWORD_SERVER -passout pass:$PASSWORD_SERVER

(Ofcourse the password vars are replaced with the vars in the ca.cnf &
server.cnf)

I then copy the following files onto this second radius server:
radius2.pem and ca.pem

Finally I generate a dh file on the second radius server:
openssl dhparam -out dh 1024

Bump, still doesn't work :(
I'm still doing something wrong?

Rg,

Arnaud

-- 
View this message in context: http://old.nabble.com/Multiple-radius-servers-with-the-same-CA-tp28013061p28015932.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.