Adding a signed certificate from a signing authority
Apologies I seem to be hogging this today. My radius server is working fine, so now I want to add a signed certificate from a certificate authority. Are there any pointers on how to do this. I have found and carried out the steps on the wiki site around using "snake oil" certificates and then creating your own producution certificates. But I now would like to add the externally signed certificate for added security. Thanks again Iain ______________________________________________________ SCRI, Invergowrie, Dundee, DD2 5DA. The Scottish Crop Research Institute is a charitable company limited by guarantee. Registered in Scotland No: SC 29367. Recognised by the Inland Revenue as a Scottish Charity No: SC 006662. DISCLAIMER: This email is from the Scottish Crop Research Institute, but the views expressed by the sender are not necessarily the views of SCRI and its subsidiaries. This email and any files transmitted with it are confidential to the intended recipient at the e-mail address to which it has been addressed. It may not be disclosed or used by any other than that addressee. If you are not the intended recipient you are requested to preserve this confidentiality and you must not use, disclose, copy, print or rely on this e-mail in any way. Please notify postmaster@scri.ac.uk quoting the name of the sender and delete the email from your system. Although SCRI has taken reasonable precautions to ensure no viruses are present in this email, neither the Institute nor the sender accepts any responsibility for any viruses, and it is your responsibility to scan the email and the attachments (if any). ______________________________________________________
Hi,
I have found and carried out the steps on the wiki site around using “snake oil” certificates and then creating your own producution certificates. But I now would like to add the externally signed certificate for added security.
sure....just put the relevant files into the right place...and edit the eap.conf accordingly. you will need the server cert and the CA.. if the CA is a chained cert, then you'll need the CA and its next up 9and its next up and its next up etc) concatenated in the same single file. theres nothing magical about using real certs...these days it seems some real world certs are just as work-causing/onerous as 'snake oil' certs. personally, I fall into the 'closed loop' camp which believes that using your own CA is more secure than some random external CA that anyone can get a cert from....noone else but your users will authenticate against your RADIUS server (external visitors get proxied and only have to trust their home RADIUS)....and, as previously mentioned, lots of current external 3rd parties require you to update/change/install certs on the client (take the recent TERENA SSLs served by JANET for example.....) alan
participants (2)
-
Alan Buxey -
Iain Grant