Freeradius 3 self signed certificate
A.L.M.Buxey at lboro.ac.uk
A.L.M.Buxey at lboro.ac.uk
Mon Jun 29 11:50:20 CEST 2015
Hi,
> Why do I want these cnf files in the certs directory? Honestly I
> expected to just place the certificate/key files there, link them in
> the config and be done.
those files provide a good starting point if you want to use your own self-signed
cert - they provide required CA configuration and extensions.
> The certificate is actually issued from a subCA. What do I have to
> consider when installing the cert, key and cacert in the FreeRadius
> server? Does the ca certificate need to be concatenated from the
> rootCA and also the subCA?
on the server, you need to have the CA and any intermediates concatenated into
one file and read via the certificate_file option (ONLY use the CA_file if doing EAP-TLS!!)
> What do I need to consider when it comes to installing the cacert to
> the clients (iOS, Android, Windows 7+, Linux, OS X). Does the
> certificate be a catted cert from the rootca cert and the subca
> cert?
just the CA root....as the intermediate is being fed to it from the server. you could
install the intermediates too if the OS supports that.
> I there anything else I need to consider? We're using TinyCA 0.7.5.
yes, ensure the cert you generate for the server contains the required extensions and
ensure that the CA you are using is correct/proper for 802.1X on modern OSes (this is
also something that you will need to keep an eye on as the OS vendors are changing their
rules...) - so ensure theres no MD5 at all - all SHA1 (256 or better!) , ensure the CA
contraints are set, ensure theres an OSCP marker even thouhg its not used (thanks Windows Phone!)
alan
More information about the Freeradius-Users
mailing list