Re: understanding the process of setting up eap-tls server/client certs
I'm working on setting up EAP-TLS so that the client (iPad) can be issued a client cert and use it to authenticate with Radius. I need some clarity on the process, particularly the roles of some of the different files generated and how to use them. 1. in order to generate the root ca, first I edit ca.cnf. It's straightforward except I don't understand the role of the "input" password. The "output" password I understand is for the private key - ca.key. 1.a. after editing ca.cnf, then i run make ca.pem. This uses openssl to run req to generate a self-signed root ca. Four files are generated: * index: it's empty. I don't know what it's for * serial. *.ca.pem: the root ca * ca.key: the private key for the root ca 1.b. in mods-enabled/eap, designate the location of the ca.pem file in the "ca_file = " field 2. make the server certs. 2.a. edit server.cnf. Again, I don't know what the "input" password is for. The output password I assume is the password for the private key. 2.b. make server.pem generates a bunch of files. I'm assuming the ones we need are server.pem and server.key 2.c. in mods-enabled/eap do the following: * private key password = <the "output password I set in server.cnf"> * "private key file = " the location of the newly generated server.key * "certificate file = " <the location of the newly generated server.pem> 2.d. questions about the files generated by "make server.pem": * what's server.crt? what's server.pem? when do I use one versus the other? * 01.pem is identical to server.crt. why and where would I use 01.pem instead of server.crt? 3. Now make a client cert signed by the server cert. 3.a. edit client.cnf. Set "input" and "output" passwords to something unique to the client? Or does one or both of these need to match the password from the server cert?? 3.b. make client.pem. This generates a bunch of files I'm assuming the one we need to install the client is client.key (and client.pem?) 4. Now for the client. The README says we need to install ca.crt on the client. I assume also the client.key needs to be put on the client. 5. I'm using jradius to try to test this. In the "Keys" tab: * Client Certificate file: I need to put client.key here * Client Certificate password: the password that the private key was encrypted with * Root CA chain file: ca.crt * Root CA chain password: the "output password" from ca.cnf I'm sure I am bungling some of this. Any help is appreciated. -- --- Michael Martinez http://www.michael--martinez.com
participants (1)
-
Michael Martinez