Help for buy a real Cert (not self-signed)

Brian Candler b.candler at pobox.com
Wed Feb 1 17:19:48 CET 2017 

On 01/02/2017 13:03, Brian Julin wrote:
> Just a regular web certificate will work except for very old windows clients where a
> special attribute is needed... it is sometimes hard to get CAs to issue this
> attribute.
>
> See:http://lists.freeradius.org/pipermail/freeradius-users/2006-October/013613.html

"Microsoft specifies that certificates must have the "Enhanced Key 
Usage" attribute with the value "Server Authentication" (OID 
1.3.6.1.5.5.7.3.1)"

A free LetsEncrypt certificate has it - see below. I had no problems 
using this certificate with Windows 7 or Windows 10, nor OSX, although 
the three-month lifetime means frequent renewals.

The problem is if you ever let Linux or Android users near your network, 
they will only connect in an insecure way, at least with EAP-PEAP/MSCHAP.

I did wonder about making FreeRADIUS keep track of the client MAC 
addresses it's seen. The first time it sees a new MAC address, it 
*intentionally* returns a bad certificate, and if authentication 
completes successfully, it puts the user into a different VLAN so they 
can be isolated.  However if the client aborts the authentication 
exchange a couple of times, the server marks the MAC address as good and 
then starts using the correct certificate, and returns the correct VLAN.

It would be an interesting project, but I don't have time to implement 
it :-)

Regards,

Brian.


# cd /etc/letsencrypt/live/<snip>.com
# openssl x509 -in cert.pem -noout -text
...
         X509v3 extensions:
             X509v3 Key Usage: critical
                 Digital Signature, Key Encipherment
             X509v3 Extended Key Usage:
                 TLS Web Server Authentication, TLS Web Client Authentication
             X509v3 Basic Constraints: critical
                 CA:FALSE
...
             Authority Information Access:
                 OCSP - URI:http://ocsp.int-x3.letsencrypt.org/
                 CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
...
             X509v3 Certificate Policies:
                 Policy: 2.23.140.1.2.1
                 Policy: 1.3.6.1.4.1.44947.1.1.1
                   CPS: http://cps.letsencrypt.org
                   User Notice:
                     Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/

More information about the Freeradius-Users mailing list