I am considering use of a CA-signed SSL certificate. Comodo (instantssl.com) offers an "Intranet SSL" certificate good on a single, internal host. All of their documentation refers to set up with a web server or for email verification. Would it also work with FR? There signed certificates are returned as ".crt" files, is this the same as the cert-srv.pem referenced in the self-signed tutorial? TIA, Laker. __________________________________ Start your day with Yahoo! - Make it your home page! http://www.yahoo.com/r/hs
On Fri, 2005-12-02 at 10:03 -0800, Laker Netman wrote:
I am considering use of a CA-signed SSL certificate. Comodo (instantssl.com) offers an "Intranet SSL" certificate good on a single, internal host. All of their documentation refers to set up with a web server or for email verification. Would it also work with FR?
Are you doing PEAP on a wireless network with Windows clients? If so, you need to check that the certificate includes the server authentication oid 1.3.6.1.5.5.7.3.1 in the enhanced usage section. Cheers Ben
Yes, it's PEAP over wifi with XP supplicants. I will query the CA as to whether that oid is included. Regards, Laker --- Ben Thompson <bt4@york.ac.uk> wrote:
On Fri, 2005-12-02 at 10:03 -0800, Laker Netman wrote:
I am considering use of a CA-signed SSL certificate. Comodo (instantssl.com) offers an "Intranet SSL" certificate good on a single, internal host. All of their documentation refers to set up with a web server or for email verification. Would it also work with FR?
Are you doing PEAP on a wireless network with Windows clients?
If so, you need to check that the certificate includes the server authentication oid 1.3.6.1.5.5.7.3.1 in the enhanced usage section.
Cheers
Ben
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________________________________________ Yahoo! DSL Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com
One thing to be mindful of with InstantSSL is that they might be using a chained root cert. i.e. GlobalCorp has the CA, signs InstantSSL root as suitable for signing. InstantSSL signs your cert. This is not usually a problem for software like Apache httpd, but can cause problems with less flexible server software. 1. I do not know if InstantSSL is doing this (although I vaguely remember them as providing a certificate like this to someone I know) 2. I do not know if FreeRADIUS will have problems using the chained certificate. Cheers, Ben On 12/4/05, Laker Netman <laker_netman@yahoo.com> wrote:
Yes, it's PEAP over wifi with XP supplicants. I will query the CA as to whether that oid is included.
Regards, Laker
--- Ben Thompson <bt4@york.ac.uk> wrote:
On Fri, 2005-12-02 at 10:03 -0800, Laker Netman wrote:
I am considering use of a CA-signed SSL certificate. Comodo (instantssl.com) offers an "Intranet SSL" certificate good on a single, internal host. All of their documentation refers to set up with a web server or for email verification. Would it also work with FR?
Are you doing PEAP on a wireless network with Windows clients?
If so, you need to check that the certificate includes the server authentication oid 1.3.6.1.5.5.7.3.1 in the enhanced usage section.
Cheers
Ben
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________________________________________ Yahoo! DSL – Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Ben Thompson -
Ben Walding -
Laker Netman