Generating a Microsoft compatible CSR for FreeRADIUS

Johnson, Neil M neil-johnson at
Thu Jan 20 20:08:59 CET 2011

We sign our RADIUS cert with a public CA for the same reason as you.

You will need to make sure that the Certificate Authority that you have sign your CSR adds the extensions.
The extensions that need to be added are in the file xpextensions in the certs directory of your FreeRadius installation.

Here they are.

#  File containing the OID's required for Windows.
[ xpclient_ext]
extendedKeyUsage =

[ xpserver_ext]
extendedKeyUsage =

Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
319 384-0938
neil-johnson at

From: at [ at] On Behalf Of Sallee, Stephen (Jake)
Sent: Thursday, January 20, 2011 12:28 PM
To: freeradius-users at
Subject: Generating a Microsoft compatible CSR for FreeRADIUS

I need help generating a Microsoft compatible CSR for my FR server that I can get signed by a public CA.

The documentation mentions special OID's that need to be present for MS machines to accept the cert, but I can't find WHAT those OID's are so I can make sure I include them in the CSR.

I know the docs also say that it is not best practices to use a publicly signed cart because ANYONE can auth against the server, however since I am in a position where almost all of the computers will NOT be managed by our staff (they are student workstations)  a public cert seems perfect.

If anyone has another route that will allow me to auth windows clients without having to manually install certs and/or manually configuring the wireless adapters I would be very grateful to hear your suggestions.


Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list