FreeRADIUS TLS certificate signing
David Stubblefield
dave at kailea.com
Tue Oct 2 21:34:24 CEST 2007
I just went through the process last night, and the initial steps you
outline are part of the first steps. I used RapidSSL and found it quite
straight forward the knowledge base is well laid and answered any
questions I had. After the initial submission of the CSR, you have to go
through a validation process, once completed you get the cert and have
to install it, all documented well. RapidSSL also offers a 30 day trial
SSL that may be beneficial in your situation.
Good luck,
-Stubbs
> Can someone on the list share with me their experience with
> certificate signing? I'd like to submit a CSR to a commercial signing
> authority such as GoDaddy so that wireless clients can establish a TLS
> session with a trusted certificate. Is this as simple as:
> openssl genrsa -out radius.key 1024
> openssl req -new -key radius.key -out radius.csr Then submitting the
> CSR to the signing authority?
>
-----Original Message-----
From: freeradius-users-bounces at lists.freeradius.org
[mailto:freeradius-users-bounces at lists.freeradius.org] On Behalf Of
Chris Byrd
Sent: Tuesday, October 02, 2007 9:42 AM
To: freeradius-users at lists.freeradius.org
Subject: FreeRADIUS TLS certificate signing
Can someone on the list share with me their experience with
certificate signing? I'd like to submit a CSR to a commercial signing
authority such as GoDaddy so that wireless clients can establish a TLS
session with a trusted certificate. Is this as simple as:
openssl genrsa -out radius.key 1024
openssl req -new -key radius.key -out radius.csr
Then submitting the CSR to the signing authority?
My biggest concern is if the signing authority will add the Enhanced
Key Usage parameters necessary to support Windows clients. I think I
read that they add it to support SSL web servers, but I haven't been
able to find that reference again.
Also, in my testing it appears that unlike with web servers, it
doesn't really matter what CN you use - since clients aren't resolving
DNS at that point, it appears from my testing that they take any cert
signed by a trusted signing authority, and don't do the standard check
of FQDN == CN. Does that sound right?
Thanks in advance,
Chris
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list