Is tinyca able to add the OID's supposedly required for Windows? -Ted- Paul Bartell wrote:
tinyca is a nice graphical interface for linux with openssl in the backend. Its much easier than remembering all the openssl commands needed, especially when you dont add/revoke certificates all the time.
On Mon, Nov 24, 2008 at 1:18 PM, Craig White <craigwhite@azapple.com> wrote:
please excuse me if this isn't entirely related to freeradius but it's all about getting WindowsXP laptops to my wireless network with freeradius and 8021.x
I see that there is certificate failures and am thinking that I need to clean this up
up until now, server2 is my ca and I have used that to generate and sign certificates.
my radius server though is running on server1 and I think that my failure is related to the fact that I'm generating the certificates and signing them with server2.
So my questions...
1. Do I set up server1 to be its own CA or do I still use server2 as the CA?
2. If server2 is the CA, do I then generate the request on server1, copy it to server2 and then sign it on server2?
3. Does anyone see any problems with these methods of generating certificates ? (openssl on Linux)
# Generate server certificate signing request openssl req -new -nodes -keyout $SSL/radius_server_key.pem \ -out $SSL/radius_server_req.pem \ -days 730 \ -config $SSL/openssl.cnf
# Sign server certificate openssl ca -config $SSL/openssl.cnf \ -policy policy_anything \ -out radius_server_cert.pem \ -extensions xpserver_ext \ -extfile $SSL/xpextensions \ -infiles $SSL/radius_server_req.pem
# Edit out text information in radius_server_cert.pem and then run # cat $SSL/radius_server_key.pem \ # $SSL/radius_server_cert.pem > \ # $SSL/radius_server_keycert.pem
# Generate client certificates # openssl req -new -keyout $SSL/radius_client_key.pem \ -out $SSL/radius_client_req.pem \ -days 730 \ -config $SSL/openssl.cnf
# Sign client certificates openssl ca -config $SSL/openssl.cnf \ -policy policy_anything \ -out $SSL/radius_client_cert.pem \ -extensions xpclient_ext \ -extfile $SSL/xpextensions \ -infiles $SSL/radius_client_req.pem # cat $SSL/radius_client_key.pem $SSL/radius_client_cert.pem > $SSL/radius_client_keycert.pem
Thanks
Craig
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.