Valid SSL certificate deployment process

Ben Humpert ben at an3k.de
Thu Jun 18 10:48:56 CEST 2015


It is not advised to use Certificates from a Public CA like VeriSign,
CACert or others because every certificate created by any of these are
accepted to authenticate against FR! Instead you should use your own
CA. Or you specify that only certificates signed by a given issuer are
allowed but that it not that secure.

All files in /etc/raddb/certs can be deleted if you don't use the FR
scripts to create certificates but have your own CA to create these.
For FreeRADIUS you only need up to three files depending on what
format your certificates and keys are.

private_key_password = whatever
private_key_file = ${certdir}/Server.key
certificate_file = ${certdir}/Server.cer
ca_file = ${cadir}/ChainedCa.cer

Specify private_key_password only if the private key for your
Server.cer has a password. If not, uncomment it. If your key has a
password and you do not specify it, you'll have to enter it manually
when starting FR.
Point private_key_file to your FR Server certificate private key file.
Point certificate_file to your FR Server certificate file
Point ca_file to your CA certificate(s).

ca_file should contain all certificates of the Certificate Chain. If
the Chain is eg. Root CA cert > CA cert > FR Server cert then you need
Root CA cert and CA cert in one file. Before you combine both
certificates you have to check its contents. Each file should look
like:

-----BEGIN CERTIFICATE-----
.....
-----END CERTIFICATE-----

If you have human readable content before or after these two lines,
delete it. It's just there for humans and all data shown is also
stored in the gibberish data between these two lines above.
If your Root-ca.cer and Ca.cer are ready to these two commands to combine them:

cat Root-ca.cer > ChainedCA.cer
cat Ca.cer >> ChainedCA.cer

You now have two certificates in one file (ChainedCA.cer) and you
specify this new file in FR as ca_file. Root-ca.cer and Ca.cer are not
required anymore.

2015-06-18 2:40 GMT+02:00 Sunil Kulkarni -X (sunikulk - PERSISTENT
SYSTEMS INC at Cisco) <sunikulk at cisco.com>:
> Hello All,
>
> I am using FR 3.0.8 version. I have done setup EAP-TTLS with PAP. For local setup and testing, I have used self-signed certificates.
> Now my setup and configuration is done and I want to do setup on production side.
> I have following certificates from CA, however, I am not getting how do I deploy certificates in FreeRadius because /etc/raddb/certs folder contains lots of certificate and its related to file.
> Root-ca.cer
> Ca.cer
> Server.cer
>
> Kindly help me on this?
>
> ---
> Thanks,
> Sunil Kulkarni
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list