Freeradius 3 self signed certificate

Jochen Demmer jochen.demmer at peakwork.com
Mon Jun 29 10:47:42 CEST 2015


Hi,

I'm trying to setup Freeradius 3.0.4 under CentOS 7 with TTLS-EAP and 
MSCHAPv2.
My first tests with using LDAP in the back and the defaultly installed 
server certificate were successful.
There won't be any authentication via client certificate. It's all about 
the server certificate for the TLS encryption.

There is a self signed certificate which I would like install in the 
server. Now I'm somewhat struggling with the server side configuration.
Why do I want these cnf files in the certs directory? Honestly I 
expected to just place the certificate/key files there, link them in the 
config and be done.
I found some documents in the internet saying that this server 
certificate need extended key usage attributes (1.3.6.1.5.5.7.3.1). Is 
that right?

The certificate is actually issued from a subCA. What do I have to 
consider when installing the cert, key and cacert in the FreeRadius 
server? Does the ca certificate need to be concatenated from the rootCA 
and also the subCA?
What do I need to consider when it comes to installing the cacert to the 
clients (iOS, Android, Windows 7+, Linux, OS X). Does the certificate be 
a catted cert from the rootca cert and the subca cert?
I there anything else I need to consider? We're using TinyCA 0.7.5.

Thank you list

-- 
Peakwork Signature

*Jochen Demmer*
Network Administrator
T: +49-(0)241-4131146-29
jochen.demmer at peakwork.com

peakwork AG | Sonnenweg 15 a | D-52070 Aachen | T: +49-(0)241-4131146-29 
| F: +49-(0)241-4131146-17

peakwork AG (Headquarter) | Flinger Str. 36 | D-40213 Düsseldorf | T: 
+49-(0)211-91368-500 | F: +49-(0)211-91368-509

Executive board: Ralf Usbeck (chairman) | Markus Pfau | Michael Schmidt 
| Dr. Thomas van Kaldenkerken
Chairman of the supervisory board: Markus Voelkel
Company register: Amtsgericht Düsseldorf HRB 71223 | VAT ID.: DE264960677

Peakwork Logo
www.peakwork.com | www.peakwork.de



More information about the Freeradius-Users mailing list