please excuse me if this isn't entirely related to freeradius but it's all about getting WindowsXP laptops to my wireless network with freeradius and 8021.x
I see that there is certificate failures and am thinking that I need to clean this up up until now, server2 is my ca and I have used that to generate and sign certificates. my radius server though is running on server1 and I think that my failure is related to the fact that I'm generating the certificates and signing them with server2. So my questions... 1. Do I set up server1 to be its own CA or do I still use server2 as the CA? 2. If server2 is the CA, do I then generate the request on server1, copy it to server2 and then sign it on server2? 3. Does anyone see any problems with these methods of generating certificates ? (openssl on Linux) # Generate server certificate signing request openssl req -new -nodes -keyout $SSL/radius_server_key.pem \ -out $SSL/radius_server_req.pem \ -days 730 \ -config $SSL/openssl.cnf # Sign server certificate openssl ca -config $SSL/openssl.cnf \ -policy policy_anything \ -out radius_server_cert.pem \ -extensions xpserver_ext \ -extfile $SSL/xpextensions \ -infiles $SSL/radius_server_req.pem # Edit out text information in radius_server_cert.pem and then run # cat $SSL/radius_server_key.pem \ # $SSL/radius_server_cert.pem > \ # $SSL/radius_server_keycert.pem # Generate client certificates # openssl req -new -keyout $SSL/radius_client_key.pem \ -out $SSL/radius_client_req.pem \ -days 730 \ -config $SSL/openssl.cnf # Sign client certificates openssl ca -config $SSL/openssl.cnf \ -policy policy_anything \ -out $SSL/radius_client_cert.pem \ -extensions xpclient_ext \ -extfile $SSL/xpextensions \ -infiles $SSL/radius_client_req.pem # cat $SSL/radius_client_key.pem $SSL/radius_client_cert.pem > $SSL/radius_client_keycert.pem Thanks Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
