Chris Byrd wrote:
Can someone on the list share with me their experience with
certificate signing? I'd like to submit a CSR to a commercial signing
authority such as GoDaddy so that wireless clients can establish a TLS
session with a trusted certificate. Is this as simple as:
openssl genrsa -out radius.key 1024
openssl req -new -key radius.key -out radius.csr
Then submitting the CSR to the signing authority?
Pretty much, but make sure the Root CA you submit it to is available and
maintained on the clients that will be using your certificate.
'GoDaddy' for example, is almost certainly not.
Where as 'Thawte Premium Server CA' (the certification authority we use)
is almost always there by default.
My biggest concern is if the signing authority will add the Enhanced
Key Usage parameters necessary to support Windows clients. I think I
read that they add it to support SSL web servers, but I haven't been
able to find that reference again.
Thats a bit hit and miss.
Also, in my testing it appears that unlike with web servers, it
doesn't really matter what CN you use - since clients aren't resolving
DNS at that point, it appears from my testing that they take any cert
signed by a trusted signing authority, and don't do the standard check
of FQDN == CN. Does that sound right?
Thats correct.
Thanks in advance,
Chris
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
