Can someone on the list share with me their experience with certificate signing? I'd like to submit a CSR to a commercial signing authority such as GoDaddy so that wireless clients can establish a TLS session with a trusted certificate. Is this as simple as: openssl genrsa -out radius.key 1024 openssl req -new -key radius.key -out radius.csr Then submitting the CSR to the signing authority?
My biggest concern is if the signing authority will add the Enhanced Key Usage parameters necessary to support Windows clients. I think I read that they add it to support SSL web servers, but I haven't been able to find that reference again. Also, in my testing it appears that unlike with web servers, it doesn't really matter what CN you use - since clients aren't resolving DNS at that point, it appears from my testing that they take any cert signed by a trusted signing authority, and don't do the standard check of FQDN == CN. Does that sound right? Thanks in advance, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
