FreeRADIUS TLS certificate signing
cbyrd01 at gmail.com
Tue Oct 2 18:42:06 CEST 2007
Can someone on the list share with me their experience with
certificate signing? I'd like to submit a CSR to a commercial signing
authority such as GoDaddy so that wireless clients can establish a TLS
session with a trusted certificate. Is this as simple as:
openssl genrsa -out radius.key 1024
openssl req -new -key radius.key -out radius.csr
Then submitting the CSR to the signing authority?
My biggest concern is if the signing authority will add the Enhanced
Key Usage parameters necessary to support Windows clients. I think I
read that they add it to support SSL web servers, but I haven't been
able to find that reference again.
Also, in my testing it appears that unlike with web servers, it
doesn't really matter what CN you use - since clients aren't resolving
DNS at that point, it appears from my testing that they take any cert
signed by a trusted signing authority, and don't do the standard check
of FQDN == CN. Does that sound right?
Thanks in advance,
More information about the Freeradius-Users