Freeradius 3 self signed certificate

Alan DeKok aland at deployingradius.com
Mon Jun 29 14:07:07 CEST 2015


On Jun 29, 2015, at 4:47 AM, Jochen Demmer <jochen.demmer at peakwork.com> wrote:
> 
> There is a self signed certificate which I would like install in the server. Now I'm somewhat struggling with the server side configuration.
> Why do I want these cnf files in the certs directory? Honestly I expected to just place the certificate/key files there, link them in the config and be done.

  If you don't want the server to ship with example configuration files, you're free to delete them all after you install it.  Then, good luck figuring out how anything works.

> I found some documents in the internet saying that this server certificate need extended key usage attributes (1.3.6.1.5.5.7.3.1). Is that right?

  How about reading the README file in the "certs" directory?

  This is all documented.

> The certificate is actually issued from a subCA. What do I have to consider when installing the cert, key and cacert in the FreeRadius server? Does the ca certificate need to be concatenated from the rootCA and also the subCA?

  This is all documented in eap.conf (v2) or raddb/mods-available/eap (v3).

> What do I need to consider when it comes to installing the cacert to the clients (iOS, Android, Windows 7+, Linux, OS X). Does the certificate be a catted cert from the rootca cert and the subca cert?

  The client needs the CA.  Just like a web browser needs a CA.   Again, this is all documented.

  Alan DeKok.





More information about the Freeradius-Users mailing list