FreeRADIUS TLS certificate signing

Chris Byrd cbyrd01 at
Tue Oct 2 18:42:06 CEST 2007

Can someone on the list share with me their experience with
certificate signing?  I'd like to submit a CSR to a commercial signing
authority such as GoDaddy so that wireless clients can establish a TLS
session with a trusted certificate.  Is this as simple as:
openssl genrsa -out radius.key 1024
openssl req -new -key radius.key -out radius.csr
Then submitting the CSR to the signing authority?

My biggest concern is if the signing authority will add the Enhanced
Key Usage parameters necessary to support Windows clients.  I think I
read that they add it to support SSL web servers, but I haven't been
able to find that reference again.

Also, in my testing it appears that unlike with web servers, it
doesn't really matter what CN you use - since clients aren't resolving
DNS at that point, it appears from my testing that they take any cert
signed by a trusted signing authority, and don't do the standard check
of FQDN == CN.  Does that sound right?

Thanks in advance,


More information about the Freeradius-Users mailing list