Adding a signed certificate from a signing authority
Apologies I seem to be hogging this today. My radius server is working fine, so now I want to add a signed certificate from a certificate authority. Are there any pointers on how to do this. I have found and carried out the steps on the wiki site around using snake oil certificates and then creating your own producution certificates. But I now would like to add the externally signed certificate for added security. Thanks again Iain __ SCRI, Invergowrie, Dundee, DD2 5DA. The Scottish Crop Research Institute is a charitable company limited by guarantee. Registered in Scotland No: SC 29367. Recognised by the Inland Revenue as a Scottish Charity No: SC 006662. DISCLAIMER: This email is from the Scottish Crop Research Institute, but the views expressed by the sender are not necessarily the views of SCRI and its subsidiaries. This email and any files transmitted with it are confidential to the intended recipient at the e-mail address to which it has been addressed. It may not be disclosed or used by any other than that addressee. If you are not the intended recipient you are requested to preserve this confidentiality and you must not use, disclose, copy, print or rely on this e-mail in any way. Please notify postmas...@scri.ac.uk quoting the name of the sender and delete the email from your system. Although SCRI has taken reasonable precautions to ensure no viruses are present in this email, neither the Institute nor the sender accepts any responsibility for any viruses, and it is your responsibility to scan the email and the attachments (if any). __- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding a signed certificate from a signing authority
Hi, I have found and carried out the steps on the wiki site around using “snake oil” certificates and then creating your own producution certificates. But I now would like to add the externally signed certificate for added security. surejust put the relevant files into the right place...and edit the eap.conf accordingly. you will need the server cert and the CA.. if the CA is a chained cert, then you'll need the CA and its next up 9and its next up and its next up etc) concatenated in the same single file. theres nothing magical about using real certs...these days it seems some real world certs are just as work-causing/onerous as 'snake oil' certs. personally, I fall into the 'closed loop' camp which believes that using your own CA is more secure than some random external CA that anyone can get a cert fromnoone else but your users will authenticate against your RADIUS server (external visitors get proxied and only have to trust their home RADIUS)and, as previously mentioned, lots of current external 3rd parties require you to update/change/install certs on the client (take the recent TERENA SSLs served by JANET for example.) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
signed certificate
-BEGIN PGP SIGNED MESSAGE- Can any one recommend a signed certificate provider whose certificates work with the Microsoft 802.1x client. I currently have a system that works fine with a self signed certificate but fails to work with a Digicert signed certificate, so we are looking to purchase a certificate that will work. Phil Brown Lan support Room 2-04 Halpern House ISO department University of Portsmouth -BEGIN PGP SIGNATURE- Version: PGPfreeware 5.0i OS/2 for non-commercial use Comment: PGP 5.0 for OS/2 Charset: cp850 wsBVAwUBRk1Lvh8HY4rdc96FAQE0Qwf+JL0Rs3oyciH7mHxrRB58l+vOIIDLihNC UmKqd7c1AsWonmwibcagSjX6cM971HF0Itc4Q0FiX/Fwwesb8xhB/RugTXAnqJ36 OPMrHXCJvMwxknUsyWRyaHpTXGJIpVf8XzZgmLK115s6M/TWbLtWv0eNGFqwL256 FfR1tbmijAsVrbAtU94u9cpsWnBtVmsRtx0wGzcn0rKtS1FXoa5sAqbflDN1B2IS vgd5Kb7sOX7A96QdYuCCP6hswBzslJIQvDYBUaGC6/fEYriHQ0YlEE19HgBVyjRM Tyil6OikurtC6Dvc213aipw91dBi3WESxbTC3ajIXCimWSHLNAyIYg== =px7Q -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: signed certificate
Hi, do you mean a RADIUS *Server* certificate? Show us the openssl x509 -noout -text -in your-cert.pem output of your certificate that is currently not working and we can make a guess why it might not working. From the vendor website I can't workout which keyusage extensions and/or Netscape certificate types are set in your certificate. Phil Brown wrote: Can any one recommend a signed certificate provider whose certificates work with the Microsoft 802.1x client. I currently have a system that works fine with a self signed certificate but fails to work with a Digicert signed certificate, so we are looking to purchase a certificate that will work. -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: signed certificate
Phil Brown wrote: Can any one recommend a signed certificate provider whose certificates work with the Microsoft 802.1x client. I currently have a system that works fine with a self signed certificate but fails to work with a Digicert signed certificate, so we are looking to purchase a certificate that will work. OpenSSL creates usable certificates. I would suggest calling Digicert, and telling them the certificate you paid for is useless. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wildcard RADIUS-server certificate and rarely used subjectRDN OIDs under 2.5.4.x arc working with Windows PEAP/EAP-TLS? (Was: Re: signed certificate)
Got the requested openssl output via pm. PKIX extendedKeyUsage is set OK. Additionally Netscape Cert Type is set accordingly to EKU. But: It is a wildcard certificate. And the SubjectDN contained among commonly used RDNs (like C, ST, L, O, OU and CN) a view RDNs that are rarely used in certificates like OIDs 2.5.4.17, 2.5.4.9 and 2.5.4.9 which are X.500 attributs (http://www.faqs.org/rfcs/rfc2256.html, http://www.alvestrand.no/objectid/2.5.4.html). I have not a clue if Windows built-in EAP-TLS or PEAP supplicant has problems with these. Anyway, these oddities raised my suspicion. Can anybody confirm that RADIUS-Server certs with these rarely used OIDs in the sDN and/or a wildcard CN is working with Windows build-in PEAP/EAP-TLS? Alan DeKok wrote: Phil Brown wrote: Can any one recommend a signed certificate provider whose certificates work with the Microsoft 802.1x client. I currently have a system that works fine with a self signed certificate but fails to work with a Digicert signed certificate, so we are looking to purchase a certificate that will work. OpenSSL creates usable certificates. I would suggest calling Digicert, and telling them the certificate you paid for is useless. -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html