PEAP certificates, signing requirements and examples

Eshun Benjamin bkeshun at yahoo.fr
Mon Jul 9 17:29:54 CEST 2007


Hi All,
I came across this infomation and tought it would be nice to drop it here. Eventhough it is ssl issue it has to do with PEAP. Just to discuss; any comments.

PEAP certificates, signing requirements and examples 
 
There are only minor differences between standard SSL certificates used by secure web sites and those 
used with PEAP on 802.1x wireless networks. 
 
With PEAP the SID of the network, rather than your organizations domain must match the common name 
(cn) of the certificate.  Additionally an EKU (Enhanced Key Usage) for Server Authentication (OID 
1.3.6.1.5.5.7.3.1) must be specified when creating your public certificate or signing request. 

[ PEAP ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
extendedKeyUsage = 1.3.6.1.5.5.7.3.1

[ clientAuth ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2

[ serverAuth ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1

 
In these examples we will use the OpenSSL utility to create a Certificate Signing Request (CSR) used with 
a third party certificate authority such as Verisign or Thawte.  We will also generate a ‘self-signed’ 
certificate that does not require a certificate authority but does require users to first accept your certificate 
as valid on a one time basis depending on the supplicant and its configuration. 
 
 
Example creating a certificate signing request for a certificate authority 
openssl req -new -nodes -keyout private.pem -out public.csr -extensions PEAP -config openssl.cnf 


The output file public.csr is processed by your certificate authority (CA), which will return a signed 
certificate file to you.  Combine private.pem with the certificate returned from the CA into a single file.  This 
file becomes the  ‘PEAP Certificate’ file.  You will likely also need the CA’s certificate chain file if one is 
required.  This file becomes the ‘PEAP CA Certificate’. 


Example creating a ‘self-signed’ certificate 

openssl req -new -x509 -key private.pem -out public.pem -extensions PEAP -config openssl.cnf -days 5000 


 
================================================== 
Benjamin K. Eshun





      _____________________________________________________________________________ 
Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070709/7805dc74/attachment.html>


More information about the Freeradius-Users mailing list