FreeRADIUS TLS certificate signing
Can someone on the list share with me their experience with certificate signing? I'd like to submit a CSR to a commercial signing authority such as GoDaddy so that wireless clients can establish a TLS session with a trusted certificate. Is this as simple as: openssl genrsa -out radius.key 1024 openssl req -new -key radius.key -out radius.csr Then submitting the CSR to the signing authority? My biggest concern is if the signing authority will add the Enhanced Key Usage parameters necessary to support Windows clients. I think I read that they add it to support SSL web servers, but I haven't been able to find that reference again. Also, in my testing it appears that unlike with web servers, it doesn't really matter what CN you use - since clients aren't resolving DNS at that point, it appears from my testing that they take any cert signed by a trusted signing authority, and don't do the standard check of FQDN == CN. Does that sound right? Thanks in advance, Chris
Chris Byrd wrote:
Can someone on the list share with me their experience with certificate signing? I'd like to submit a CSR to a commercial signing authority such as GoDaddy so that wireless clients can establish a TLS session with a trusted certificate. Is this as simple as: openssl genrsa -out radius.key 1024 openssl req -new -key radius.key -out radius.csr Then submitting the CSR to the signing authority?
Pretty much, but make sure the Root CA you submit it to is available and maintained on the clients that will be using your certificate. 'GoDaddy' for example, is almost certainly not. Where as 'Thawte Premium Server CA' (the certification authority we use) is almost always there by default.
My biggest concern is if the signing authority will add the Enhanced Key Usage parameters necessary to support Windows clients. I think I read that they add it to support SSL web servers, but I haven't been able to find that reference again.
Thats a bit hit and miss.
Also, in my testing it appears that unlike with web servers, it doesn't really matter what CN you use - since clients aren't resolving DNS at that point, it appears from my testing that they take any cert signed by a trusted signing authority, and don't do the standard check of FQDN == CN. Does that sound right?
Thats correct.
Thanks in advance,
Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900
I just went through the process last night, and the initial steps you outline are part of the first steps. I used RapidSSL and found it quite straight forward the knowledge base is well laid and answered any questions I had. After the initial submission of the CSR, you have to go through a validation process, once completed you get the cert and have to install it, all documented well. RapidSSL also offers a 30 day trial SSL that may be beneficial in your situation. Good luck, -Stubbs
Can someone on the list share with me their experience with certificate signing? I'd like to submit a CSR to a commercial signing
authority such as GoDaddy so that wireless clients can establish a TLS
session with a trusted certificate. Is this as simple as: openssl genrsa -out radius.key 1024 openssl req -new -key radius.key -out radius.csr Then submitting the CSR to the signing authority?
-----Original Message----- From: freeradius-users-bounces@lists.freeradius.org [mailto:freeradius-users-bounces@lists.freeradius.org] On Behalf Of Chris Byrd Sent: Tuesday, October 02, 2007 9:42 AM To: freeradius-users@lists.freeradius.org Subject: FreeRADIUS TLS certificate signing Can someone on the list share with me their experience with certificate signing? I'd like to submit a CSR to a commercial signing authority such as GoDaddy so that wireless clients can establish a TLS session with a trusted certificate. Is this as simple as: openssl genrsa -out radius.key 1024 openssl req -new -key radius.key -out radius.csr Then submitting the CSR to the signing authority? My biggest concern is if the signing authority will add the Enhanced Key Usage parameters necessary to support Windows clients. I think I read that they add it to support SSL web servers, but I haven't been able to find that reference again. Also, in my testing it appears that unlike with web servers, it doesn't really matter what CN you use - since clients aren't resolving DNS at that point, it appears from my testing that they take any cert signed by a trusted signing authority, and don't do the standard check of FQDN == CN. Does that sound right? Thanks in advance, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Arran Cudbard-Bell -
Chris Byrd -
David Stubblefield