PEAP certificates, signing requirements and examples

Mon, 09 Jul 2007 08:35:42 -0700 

Hi All,
I came across this infomation and tought it would be nice to drop it here. 
Eventhough it is ssl issue it has to do with PEAP. Just to discuss; any 
comments.

PEAP certificates, signing requirements and examples 
 
There are only minor differences between standard SSL certificates used by 
secure web sites and those 
used with PEAP on 802.1x wireless networks. 
 
With PEAP the SID of the network, rather than your organizations domain must 
match the common name 
(cn) of the certificate.  Additionally an EKU (Enhanced Key Usage) for Server 
Authentication (OID 
1.3.6.1.5.5.7.3.1) must be specified when creating your public certificate or 
signing request. 

[ PEAP ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
extendedKeyUsage = 1.3.6.1.5.5.7.3.1

[ clientAuth ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2

[ serverAuth ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1

 
In these examples we will use the OpenSSL utility to create a Certificate 
Signing Request (CSR) used with 
a third party certificate authority such as Verisign or Thawte.  We will also 
generate a ‘self-signed’ 
certificate that does not require a certificate authority but does require 
users to first accept your certificate 
as valid on a one time basis depending on the supplicant and its configuration. 
 
 
Example creating a certificate signing request for a certificate authority 
openssl req -new -nodes -keyout private.pem -out public.csr -extensions PEAP 
-config openssl.cnf 


The output file public.csr is processed by your certificate authority (CA), 
which will return a signed 
certificate file to you.  Combine private.pem with the certificate returned 
from the CA into a single file.  This 
file becomes the  ‘PEAP Certificate’ file.  You will likely also need the CA’s 
certificate chain file if one is 
required.  This file becomes the ‘PEAP CA Certificate’. 


Example creating a ‘self-signed’ certificate 

openssl req -new -x509 -key private.pem -out public.pem -extensions PEAP 
-config openssl.cnf -days 5000 


 
================================================== 
Benjamin K. Eshun





      
_____________________________________________________________________________ 
Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to