FreeRADIUS TLS certificate signing

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Tue Oct 2 18:47:40 CEST 2007


Chris Byrd wrote:
> Can someone on the list share with me their experience with
> certificate signing?  I'd like to submit a CSR to a commercial signing
> authority such as GoDaddy so that wireless clients can establish a TLS
> session with a trusted certificate.  Is this as simple as:
> openssl genrsa -out radius.key 1024
> openssl req -new -key radius.key -out radius.csr
> Then submitting the CSR to the signing authority?
>   
Pretty much, but make sure the Root CA you submit it to is available and 
maintained on the clients that will be using your certificate.

'GoDaddy' for example, is almost certainly not.

Where as 'Thawte Premium Server CA' (the certification authority we use) 
is almost always there by default.
> My biggest concern is if the signing authority will add the Enhanced
> Key Usage parameters necessary to support Windows clients.  I think I
> read that they add it to support SSL web servers, but I haven't been
> able to find that reference again.
>
>   
Thats a bit hit and miss.
> Also, in my testing it appears that unlike with web servers, it
> doesn't really matter what CN you use - since clients aren't resolving
> DNS at that point, it appears from my testing that they take any cert
> signed by a trusted signing authority, and don't do the standard check
> of FQDN == CN.  Does that sound right?
>   
Thats correct.
> Thanks in advance,
>
> Chris
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>   


-- 
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk)
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08 
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900




More information about the Freeradius-Users mailing list