Anything special to apply a server cert by CSR for eap-tls?
luckydogxf at gmail.com
Wed Dec 26 08:25:13 CET 2018
You have to copy MS CA to FreeRADIUS, too if you're using EAP-TLS.
Just backup MS CA and export CA.p12, use `openssl pkcs12 ...` to extra certs
Copy them to /etc/raddb/certs/ca.pem. etc.
FYI. Good luck.
On Wed, Dec 26, 2018 at 3:17 PM luckydog xf <luckydogxf at gmail.com> wrote:
> I come accross a blog
> which suggests that **In AD CS, the template to use is indicated by an
> X.509 extension in the certificate signing request (CSR). The template
> specifier can be one of two extensions.**
> So if I just run command **make server.csr** and do nothing, the cert
> request against windows CA would fail as I met before. Because an X509
> extension should be added in CSR.
> Something like :
> Requested Extensions:
> 184.108.40.206.4.1.311.20.2: # Your Cert template OID
> As it's hard to add this extension, so here is a way to fix the error I
> met before.
> 1. In MS CA, create your server template, duplicate `computer` and name
> it as `temp-computer`, please make sure DNS name is unchecked in Subject
> Alternative Name of `temp-computer`. As this required FreeRadius is a
> member of MS Active directory.
> 2. change server.cnf and make sever.csr.
> 3. copy server.csr to MS CA.
> 4. Run-->cmd, run
> certreq -submit -attrib “CertificateTemplate:temp-computer"
> A window pops up, choose your server.csr file.
> 5. Done, save your certificate and copy to Freeradius server
> An alternative way is copying MS CA to Freeraidus and signing a server
> certiificate. I'll skip this one.
> Over, good luck.
> Hope some could fix the scripts of Makefile, add cert template required by
> MS CA. :)
> Merry X-mas !!!
More information about the Freeradius-Users