understanding the process of setting up eap-tls server/client certs

Michael Martinez mwtzzz at gmail.com
Thu Mar 17 17:07:06 CET 2016 

I'm working on setting up EAP-TLS so that the client (iPad) can be
issued a client cert and use it to authenticate with Radius. I need
some clarity on the process, particularly the roles of some of the
different files generated and how to use them.

1. in order to generate the root ca, first I edit ca.cnf.
It's straightforward except I don't understand the role of the "input"
password. The "output" password I understand is for the private key -
ca.key.

1.a. after editing ca.cnf, then i run make ca.pem. This uses openssl
to run req to generate a self-signed root ca. Four files are
generated:
  * index: it's empty. I don't know what it's for
  * serial.
  *.ca.pem: the root ca
  * ca.key: the private key for the root ca

1.b. in mods-enabled/eap, designate the location of the ca.pem file in
the "ca_file = " field

2. make the server certs.
2.a. edit server.cnf. Again, I don't know what the "input" password is
for. The output password I assume is the password for the private key.
2.b. make server.pem generates a bunch of files. I'm assuming the ones
we need are server.pem and server.key
2.c. in mods-enabled/eap do the following:
    * private key password = <the "output password I set in server.cnf">
    * "private key file = " the location of the newly generated server.key
    * "certificate file = " <the location of the newly generated server.pem>

2.d. questions about the files generated by "make server.pem":
    * what's server.crt? what's server.pem? when do I use one versus the other?
    * 01.pem is identical to server.crt. why and where would I use
01.pem instead of server.crt?

3. Now make a client cert signed by the server cert.
3.a. edit client.cnf. Set "input" and "output" passwords to something
unique to the client? Or does one or both of these need to match the
password from the server cert??
3.b. make client.pem. This generates a bunch of files I'm assuming the
one we need to install the client is client.key (and client.pem?)

4. Now for the client. The README says we need to install ca.crt on
the client. I assume also the client.key needs to be put on the
client.

5. I'm using jradius to try to test this. In the "Keys" tab:
    * Client Certificate file: I need to put client.key here
    * Client Certificate password: the password that the private key
was encrypted with
    * Root CA chain file: ca.crt
    * Root CA chain password: the "output password" from ca.cnf

I'm sure I am bungling some of this. Any help is appreciated.



-- 
---
Michael Martinez
http://www.michael--martinez.com

More information about the Freeradius-Users mailing list