Chris Byrd wrote:
Can someone on the list share with me their experience with certificate signing? I'd like to submit a CSR to a commercial signing authority such as GoDaddy so that wireless clients can establish a TLS session with a trusted certificate. Is this as simple as: openssl genrsa -out radius.key 1024 openssl req -new -key radius.key -out radius.csr Then submitting the CSR to the signing authority?
Pretty much, but make sure the Root CA you submit it to is available and maintained on the clients that will be using your certificate. 'GoDaddy' for example, is almost certainly not. Where as 'Thawte Premium Server CA' (the certification authority we use) is almost always there by default.
My biggest concern is if the signing authority will add the Enhanced Key Usage parameters necessary to support Windows clients. I think I read that they add it to support SSL web servers, but I haven't been able to find that reference again.
Thats a bit hit and miss.
Also, in my testing it appears that unlike with web servers, it doesn't really matter what CN you use - since clients aren't resolving DNS at that point, it appears from my testing that they take any cert signed by a trusted signing authority, and don't do the standard check of FQDN == CN. Does that sound right?
Thats correct.
Thanks in advance,
Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900