Generating a Microsoft compatible CSR for FreeRADIUS

Peter Lambrechtsen plambrechtsen at gmail.com
Fri Jan 21 14:11:09 CET 2011


On Fri, Jan 21, 2011 at 10:33 PM, Alan Buxey <A.L.M.Buxey at lboro.ac.uk>wrote:

> >    2) Issuing client certs isn't that difficult.� with windows vista/7,
> >    installing a cert is a simple double-click operation, so if they have
> a
> >    usb flash, you can use linux to zip a copy of their private key and a
> .doc
> >    with instructions (including screenies!) on configuring their OS in a
> >    matter of seconds, all they have to do is stop by IT to request a key
> >    once, and it's good for as long as you honour it.
>
> if dealing with client keys - most of the times its just PEAP with
> user/pass
> and its the CA thats an issue.  even then there are ways of doing this
> quite
> easily... eg https://su1x.sf.net
>

I also quite like using the root certificates tool which happily imports
certificates into the root certificate store in windows.

Go to here: http://support.microsoft.com/kb/931125

Download the "rootsupd.exe<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe>"
from there and expand it with winzip or winrar.

Then convert your DER file into a P7B using OpenSSL:

openssl crl2pkcs7 -nocrl -certfile internalca1.der -certfile internalca2.der
-out internalca.p7b

Then use "updroots.exe" included in the exe to import the certificate into
your local certificate chain:

updroots -l internalca.p7b

And you're done

You can even use "iexpress" if you're running windows XP to re-package
everything back into a self extracting exe.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110122/e1afe62d/attachment.html>


More information about the Freeradius-Users mailing list