tinyca is a nice graphical interface for linux with openssl in the backend. Its much easier than remembering all the openssl commands needed, especially when you dont add/revoke certificates all the time.
On Mon, Nov 24, 2008 at 1:18 PM, Craig White <[EMAIL PROTECTED]> wrote: > please excuse me if this isn't entirely related to freeradius but it's > all about getting WindowsXP laptops to my wireless network with > freeradius and 8021.x > > I see that there is certificate failures and am thinking that I need to > clean this up > > up until now, server2 is my ca and I have used that to generate and sign > certificates. > > my radius server though is running on server1 and I think that my > failure is related to the fact that I'm generating the certificates and > signing them with server2. > > So my questions... > > 1. Do I set up server1 to be its own CA or do I still use server2 as the > CA? > > 2. If server2 is the CA, do I then generate the request on server1, copy > it to server2 and then sign it on server2? > > 3. Does anyone see any problems with these methods of generating > certificates ? (openssl on Linux) > > # Generate server certificate signing request > openssl req -new -nodes -keyout $SSL/radius_server_key.pem \ > -out $SSL/radius_server_req.pem \ > -days 730 \ > -config $SSL/openssl.cnf > > # Sign server certificate > openssl ca -config $SSL/openssl.cnf \ > -policy policy_anything \ > -out radius_server_cert.pem \ > -extensions xpserver_ext \ > -extfile $SSL/xpextensions \ > -infiles $SSL/radius_server_req.pem > > # Edit out text information in radius_server_cert.pem and then run > # cat $SSL/radius_server_key.pem \ > # $SSL/radius_server_cert.pem > \ > # $SSL/radius_server_keycert.pem > > # Generate client certificates > # > openssl req -new -keyout $SSL/radius_client_key.pem \ > -out $SSL/radius_client_req.pem \ > -days 730 \ > -config $SSL/openssl.cnf > > # Sign client certificates > openssl ca -config $SSL/openssl.cnf \ > -policy policy_anything \ > -out $SSL/radius_client_cert.pem \ > -extensions xpclient_ext \ > -extfile $SSL/xpextensions \ > -infiles $SSL/radius_client_req.pem > # > cat $SSL/radius_client_key.pem $SSL/radius_client_cert.pem > > $SSL/radius_client_keycert.pem > > Thanks > > Craig > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Random quote of the week/month/whenever i get to updating it: "Opportunity knocked. My doorman threw him out." - Adrienne Gusoff "At school you don't get parole, good behavior only brings a longer sentence." - The History Boys - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
