PEAP certificates, signing requirements and examples
Eshun Benjamin
bkeshun at yahoo.fr
Mon Jul 9 17:29:54 CEST 2007
Hi All,
I came across this infomation and tought it would be nice to drop it here. Eventhough it is ssl issue it has to do with PEAP. Just to discuss; any comments.
PEAP certificates, signing requirements and examples
There are only minor differences between standard SSL certificates used by secure web sites and those
used with PEAP on 802.1x wireless networks.
With PEAP the SID of the network, rather than your organizations domain must match the common name
(cn) of the certificate. Additionally an EKU (Enhanced Key Usage) for Server Authentication (OID
1.3.6.1.5.5.7.3.1) must be specified when creating your public certificate or signing request.
[ PEAP ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
[ clientAuth ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
[ serverAuth ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
In these examples we will use the OpenSSL utility to create a Certificate Signing Request (CSR) used with
a third party certificate authority such as Verisign or Thawte. We will also generate a ‘self-signed’
certificate that does not require a certificate authority but does require users to first accept your certificate
as valid on a one time basis depending on the supplicant and its configuration.
Example creating a certificate signing request for a certificate authority
openssl req -new -nodes -keyout private.pem -out public.csr -extensions PEAP -config openssl.cnf
The output file public.csr is processed by your certificate authority (CA), which will return a signed
certificate file to you. Combine private.pem with the certificate returned from the CA into a single file. This
file becomes the ‘PEAP Certificate’ file. You will likely also need the CA’s certificate chain file if one is
required. This file becomes the ‘PEAP CA Certificate’.
Example creating a ‘self-signed’ certificate
openssl req -new -x509 -key private.pem -out public.pem -extensions PEAP -config openssl.cnf -days 5000
==================================================
Benjamin K. Eshun
_____________________________________________________________________________
Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070709/7805dc74/attachment.html>
More information about the Freeradius-Users
mailing list