EAP SSL certificates - how to?
Alan DeKok
aland at deployingradius.com
Tue Apr 22 21:37:21 CEST 2008
matthew zeier wrote:
> I'm having problems figuring out how to create an SSL certificate for
> WPA Enterprise authentication.
The bootstrap scripts work for self-signed certificates. If you need
a certificate signed by CA, you will need to supply the "server.csr" to
the CA.
> Self-signed ones cause "unknown root" errors on OS X clients which I'd
> expect.
You need to import the self-signed certs as a known CA.
> I took a GeoTrust certificate off a webserver and now get
> "unknown trust" errors.
I have no idea what that means. If you are trying to use a
certificate signed by a CA such as Geotrust, then you have to supply the
certificate to GeoTrust. They will sign it with their certificate, and
give you certificate you can use. This is how certificates work.
However, for reasons outlined in raddb/certs/README, you should use
self-signed certificates.
> I'm looking for something that doesn't require end-user interaction.
(a) use a certificate from a known CA, and allow anyone *else* signed
by that CA to steal your user's passwords
(b) use a self-signed cert, and run an installation script on the
end-user machine.
> I generated a test certificate using the bootstrap script in the src
> dist. The server.crt appears to have the same x509 fields GeoTrust has
> (GeoTrust has more) so I'm not sure what I'm missing.
The certificate has to be signed by GeoTrust. Please read the "howto"
or "support" sections of the Geotrust web site for how certificates work.
> I'm also entirely unclear what he CN should be.
The name of the RADIUS server. Commonly, a DNS host name.
Alan DeKok.
More information about the Freeradius-Users
mailing list