certificates confusion
Ted Lum
freeradius.org at tedworld.com
Tue Nov 25 00:16:14 CET 2008
Is tinyca able to add the OID's supposedly required for Windows?
-Ted-
Paul Bartell wrote:
> tinyca is a nice graphical interface for linux with openssl in the
> backend. Its much easier than remembering all the openssl commands
> needed, especially when you dont add/revoke certificates all the time.
>
> On Mon, Nov 24, 2008 at 1:18 PM, Craig White <craigwhite at azapple.com> wrote:
>
>> please excuse me if this isn't entirely related to freeradius but it's
>> all about getting WindowsXP laptops to my wireless network with
>> freeradius and 8021.x
>>
>> I see that there is certificate failures and am thinking that I need to
>> clean this up
>>
>> up until now, server2 is my ca and I have used that to generate and sign
>> certificates.
>>
>> my radius server though is running on server1 and I think that my
>> failure is related to the fact that I'm generating the certificates and
>> signing them with server2.
>>
>> So my questions...
>>
>> 1. Do I set up server1 to be its own CA or do I still use server2 as the
>> CA?
>>
>> 2. If server2 is the CA, do I then generate the request on server1, copy
>> it to server2 and then sign it on server2?
>>
>> 3. Does anyone see any problems with these methods of generating
>> certificates ? (openssl on Linux)
>>
>> # Generate server certificate signing request
>> openssl req -new -nodes -keyout $SSL/radius_server_key.pem \
>> -out $SSL/radius_server_req.pem \
>> -days 730 \
>> -config $SSL/openssl.cnf
>>
>> # Sign server certificate
>> openssl ca -config $SSL/openssl.cnf \
>> -policy policy_anything \
>> -out radius_server_cert.pem \
>> -extensions xpserver_ext \
>> -extfile $SSL/xpextensions \
>> -infiles $SSL/radius_server_req.pem
>>
>> # Edit out text information in radius_server_cert.pem and then run
>> # cat $SSL/radius_server_key.pem \
>> # $SSL/radius_server_cert.pem > \
>> # $SSL/radius_server_keycert.pem
>>
>> # Generate client certificates
>> #
>> openssl req -new -keyout $SSL/radius_client_key.pem \
>> -out $SSL/radius_client_req.pem \
>> -days 730 \
>> -config $SSL/openssl.cnf
>>
>> # Sign client certificates
>> openssl ca -config $SSL/openssl.cnf \
>> -policy policy_anything \
>> -out $SSL/radius_client_cert.pem \
>> -extensions xpclient_ext \
>> -extfile $SSL/xpextensions \
>> -infiles $SSL/radius_client_req.pem
>> #
>> cat $SSL/radius_client_key.pem $SSL/radius_client_cert.pem >
>> $SSL/radius_client_keycert.pem
>>
>> Thanks
>>
>> Craig
>>
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
>>
>
>
>
>
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the Freeradius-Users
mailing list