Re: certificates confusion

Mon, 24 Nov 2008 15:20:05 -0800 

Is tinyca able to add the OID's supposedly required for Windows?

-Ted-

Paul Bartell wrote:

tinyca is a nice graphical interface for linux with openssl in the
backend. Its much easier than remembering all the openssl commands
needed, especially when you dont add/revoke certificates all the time.

On Mon, Nov 24, 2008 at 1:18 PM, Craig White <[EMAIL PROTECTED]> wrote:

please excuse me if this isn't entirely related to freeradius but it's
all about getting WindowsXP laptops to my wireless network with
freeradius and 8021.x

I see that there is certificate failures and am thinking that I need to
clean this up

up until now, server2 is my ca and I have used that to generate and sign
certificates.

my radius server though is running on server1 and I think that my
failure is related to the fact that I'm generating the certificates and
signing them with server2.

So my questions...

1. Do I set up server1 to be its own CA or do I still use server2 as the
CA?

2. If server2 is the CA, do I then generate the request on server1, copy
it to server2 and then sign it on server2?

3. Does anyone see any problems with these methods of generating
certificates ? (openssl on Linux)

# Generate server certificate signing request
openssl req -new -nodes -keyout $SSL/radius_server_key.pem \
 -out $SSL/radius_server_req.pem \
 -days 730 \
 -config $SSL/openssl.cnf

# Sign server certificate
openssl ca -config $SSL/openssl.cnf \
 -policy policy_anything \
 -out radius_server_cert.pem \
 -extensions xpserver_ext \
 -extfile $SSL/xpextensions \
 -infiles $SSL/radius_server_req.pem

# Edit out text information in radius_server_cert.pem and then run
# cat $SSL/radius_server_key.pem \
# $SSL/radius_server_cert.pem > \
# $SSL/radius_server_keycert.pem

# Generate client certificates
#
openssl req -new -keyout $SSL/radius_client_key.pem \
 -out $SSL/radius_client_req.pem \
 -days 730 \
 -config $SSL/openssl.cnf

# Sign client certificates
openssl ca -config $SSL/openssl.cnf \
 -policy policy_anything \
 -out $SSL/radius_client_cert.pem \
 -extensions xpclient_ext \
 -extfile $SSL/xpextensions \
 -infiles $SSL/radius_client_req.pem
#
cat $SSL/radius_client_key.pem $SSL/radius_client_cert.pem >
$SSL/radius_client_keycert.pem

Thanks

Craig


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html








--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to