Freeradius 3 self signed certificate

A.L.M.Buxey at lboro.ac.uk A.L.M.Buxey at lboro.ac.uk
Mon Jun 29 11:50:20 CEST 2015


Hi,

> Why do I want these cnf files in the certs directory? Honestly I
> expected to just place the certificate/key files there, link them in
> the config and be done.

those files provide a good starting point if you want to use your own self-signed
cert - they provide required CA configuration and extensions. 

> The certificate is actually issued from a subCA. What do I have to
> consider when installing the cert, key and cacert in the FreeRadius
> server? Does the ca certificate need to be concatenated from the
> rootCA and also the subCA?


on the server, you need to have the CA and any intermediates concatenated into
one file and read via the certificate_file option (ONLY use the CA_file if doing EAP-TLS!!)


> What do I need to consider when it comes to installing the cacert to
> the clients (iOS, Android, Windows 7+, Linux, OS X). Does the
> certificate be a catted cert from the rootca cert and the subca
> cert?

just the CA root....as the intermediate is being fed to it from the server. you could
install the intermediates too if the OS supports that.

> I there anything else I need to consider? We're using TinyCA 0.7.5.

yes, ensure the cert you generate for the server contains the required extensions and
ensure that the CA you are using is correct/proper for 802.1X on modern OSes (this is
also something that you will need to keep an eye on as the OS vendors are changing their
rules...) - so ensure theres no MD5 at all - all SHA1 (256 or better!) , ensure the CA
contraints are set, ensure theres an OSCP marker even thouhg its not used (thanks Windows Phone!)

alan


More information about the Freeradius-Users mailing list