Anything special to apply a server cert by CSR for eap-tls?
luckydog xf
luckydogxf at gmail.com
Wed Dec 26 08:17:19 CET 2018
I come accross a blog
https://frasertweedale.github.io/blog-redhat/posts/2017-08-14-ad-cs.html
which suggests that **In AD CS, the template to use is indicated by an
X.509 extension in the certificate signing request (CSR). The template
specifier can be one of two extensions.**
So if I just run command **make server.csr** and do nothing, the cert
request against windows CA would fail as I met before. Because an X509
extension should be added in CSR.
Something like :
------------------
Attributes:
Requested Extensions:
1.3.6.1.4.1.311.20.2: # Your Cert template OID
.....
-----------------
As it's hard to add this extension, so here is a way to fix the error I met
before.
1. In MS CA, create your server template, duplicate `computer` and name
it as `temp-computer`, please make sure DNS name is unchecked in Subject
Alternative Name of `temp-computer`. As this required FreeRadius is a
member of MS Active directory.
2. change server.cnf and make sever.csr.
3. copy server.csr to MS CA.
4. Run-->cmd, run
----------------
certreq -submit -attrib “CertificateTemplate:temp-computer"
--------------
A window pops up, choose your server.csr file.
5. Done, save your certificate and copy to Freeradius server
/etc/raddb/certs/
--------
An alternative way is copying MS CA to Freeraidus and signing a server
certiificate. I'll skip this one.
Over, good luck.
Hope some could fix the scripts of Makefile, add cert template required by
MS CA. :)
Merry X-mas !!!
More information about the Freeradius-Users
mailing list