certificates confusion

Paul Bartell paul-bartell at ubuntu.com
Tue Nov 25 00:05:05 CET 2008


tinyca is a nice graphical interface for linux with openssl in the
backend. Its much easier than remembering all the openssl commands
needed, especially when you dont add/revoke certificates all the time.

On Mon, Nov 24, 2008 at 1:18 PM, Craig White <craigwhite at azapple.com> wrote:
> please excuse me if this isn't entirely related to freeradius but it's
> all about getting WindowsXP laptops to my wireless network with
> freeradius and 8021.x
>
> I see that there is certificate failures and am thinking that I need to
> clean this up
>
> up until now, server2 is my ca and I have used that to generate and sign
> certificates.
>
> my radius server though is running on server1 and I think that my
> failure is related to the fact that I'm generating the certificates and
> signing them with server2.
>
> So my questions...
>
> 1. Do I set up server1 to be its own CA or do I still use server2 as the
> CA?
>
> 2. If server2 is the CA, do I then generate the request on server1, copy
> it to server2 and then sign it on server2?
>
> 3. Does anyone see any problems with these methods of generating
> certificates ? (openssl on Linux)
>
> # Generate server certificate signing request
> openssl req -new -nodes -keyout $SSL/radius_server_key.pem \
>  -out $SSL/radius_server_req.pem \
>  -days 730 \
>  -config $SSL/openssl.cnf
>
> # Sign server certificate
> openssl ca -config $SSL/openssl.cnf \
>  -policy policy_anything \
>  -out radius_server_cert.pem \
>  -extensions xpserver_ext \
>  -extfile $SSL/xpextensions \
>  -infiles $SSL/radius_server_req.pem
>
> # Edit out text information in radius_server_cert.pem and then run
> # cat $SSL/radius_server_key.pem \
> # $SSL/radius_server_cert.pem > \
> # $SSL/radius_server_keycert.pem
>
> # Generate client certificates
> #
> openssl req -new -keyout $SSL/radius_client_key.pem \
>  -out $SSL/radius_client_req.pem \
>  -days 730 \
>  -config $SSL/openssl.cnf
>
> # Sign client certificates
> openssl ca -config $SSL/openssl.cnf \
>  -policy policy_anything \
>  -out $SSL/radius_client_cert.pem \
>  -extensions xpclient_ext \
>  -extfile $SSL/xpextensions \
>  -infiles $SSL/radius_client_req.pem
> #
> cat $SSL/radius_client_key.pem $SSL/radius_client_cert.pem >
> $SSL/radius_client_keycert.pem
>
> Thanks
>
> Craig
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>



-- 
Random quote of the week/month/whenever i get to updating it:
"Opportunity knocked. My doorman threw him out." - Adrienne Gusoff

"At school you don't get parole, good behavior only brings a longer
sentence." - The History Boys



More information about the Freeradius-Users mailing list