Anything special to apply a server cert by CSR for eap-tls?
luckydog xf
luckydogxf at gmail.com
Wed Dec 26 08:25:13 CET 2018
You have to copy MS CA to FreeRADIUS, too if you're using EAP-TLS.
Just backup MS CA and export CA.p12, use `openssl pkcs12 ...` to extra certs
Copy them to /etc/raddb/certs/ca.pem. etc.
FYI. Good luck.
On Wed, Dec 26, 2018 at 3:17 PM luckydog xf <luckydogxf at gmail.com> wrote:
> I come accross a blog
> https://frasertweedale.github.io/blog-redhat/posts/2017-08-14-ad-cs.html
> which suggests that **In AD CS, the template to use is indicated by an
> X.509 extension in the certificate signing request (CSR). The template
> specifier can be one of two extensions.**
>
> So if I just run command **make server.csr** and do nothing, the cert
> request against windows CA would fail as I met before. Because an X509
> extension should be added in CSR.
> Something like :
> ------------------
> Attributes:
> Requested Extensions:
> 1.3.6.1.4.1.311.20.2: # Your Cert template OID
> .....
> -----------------
> As it's hard to add this extension, so here is a way to fix the error I
> met before.
>
> 1. In MS CA, create your server template, duplicate `computer` and name
> it as `temp-computer`, please make sure DNS name is unchecked in Subject
> Alternative Name of `temp-computer`. As this required FreeRadius is a
> member of MS Active directory.
> 2. change server.cnf and make sever.csr.
> 3. copy server.csr to MS CA.
> 4. Run-->cmd, run
> ----------------
> certreq -submit -attrib “CertificateTemplate:temp-computer"
> --------------
> A window pops up, choose your server.csr file.
>
> 5. Done, save your certificate and copy to Freeradius server
> /etc/raddb/certs/
>
> --------
> An alternative way is copying MS CA to Freeraidus and signing a server
> certiificate. I'll skip this one.
>
> Over, good luck.
>
> Hope some could fix the scripts of Makefile, add cert template required by
> MS CA. :)
>
> Merry X-mas !!!
>
>
>
>
More information about the Freeradius-Users
mailing list