Hi guys, I am implementing wireless EAP-TLS with freeradius authentication. It has been running already for a month now until one day all of my clients can no longer authenticate. Then I found out that the root certificate has expired.. it is only good for one month. My temporary solution for now is to run root.der again from my server and generate ca.clt for my clients again... the client certificate is good for one year as what i defined from my openssl.conf.
Just want to ask if how to make a root.der certificate to extend to more that one month? Please see attached script.. CA.root - Certificate Authority Generation. #!/bin/sh SSL=/usr/local/openssl-certgen export PATH=${SSL}/bin/:${SSL}/ssl/misc:${PATH} export LD_LIBRARY_PATH=${SSL}/lib # needed if you need to start from scratch otherwise the CA.pl -newca command doesn't copy the new # private key into the CA directories rm -rf demoCA echo "*************************************************************************** ******" echo "Creating self-signed private key and certificate" echo "When prompted override the default value for the Common Name field" echo "*************************************************************************** ******" echo # Generate a new self-signed certificate. # After invocation, newreq.pem will contain a private key and certificate # newreq.pem will be used in the next step openssl req -new -x509 -keyout newreq.pem -out newreq.pem -passin pass:whatever -passout pass:whatever echo "*************************************************************************** ******" echo "Creating a new CA hierarchy (used later by the "ca" command) with the certificate" echo "and private key created in the last step" echo "*************************************************************************** ******" echo echo "newreq.pem" | CA.pl -newca >/dev/null echo "*************************************************************************** ******" echo "Creating ROOT CA" echo "*************************************************************************** ******" echo # Create a PKCS#12 file, using the previously created CA certificate/key # The certificate in demoCA/cacert.pem is the same as in newreq.pem. Instead of # using "-in demoCA/cacert.pem" we could have used "-in newreq.pem" and then omitted # the "-inkey newreq.pem" because newreq.pem contains both the private key and certificate openssl pkcs12 -export -in demoCA/cacert.pem -inkey newreq.pem -out root.p12 -cacerts -passin pass:whatever -passout pass:whatever # parse the PKCS#12 file just created and produce a PEM format certificate and key in root.pem openssl pkcs12 -in root.p12 -out root.pem -passin pass:whatever -passout pass:whatever # Convert root certificate from PEM format to DER format openssl x509 -inform PEM -outform DER -in root.pem -out root.der #Clean Up rm -rf newreq.pem CA.svr - Server certificate generation script. #!/bin/sh SSL=/usr/local/openssl-certgen export PATH=${SSL}/bin/:${SSL}/ssl/misc:${PATH} export LD_LIBRARY_PATH=${SSL}/lib echo "*************************************************************************** ******" echo "Creating server private key and certificate" echo "When prompted enter the server name in the Common Name field." echo "*************************************************************************** ******" echo # Request a new PKCS#10 certificate. # First, newreq.pem will be overwritten with the new certificate request openssl req -new -keyout newreq.pem -out newreq.pem -passin pass:whatever -passout pass:whatever # Sign the certificate request. The policy is defined in the openssl.cnf file. # The request generated in the previous step is specified with the -infiles option and # the output is in newcert.pem # The -extensions option is necessary to add the OID for the extended key for server authentication openssl ca -policy policy_anything -out newcert.pem -passin pass:whatever -key whatever -extensions xpserver_ext -extfile xpextensions -infiles newreq.pem # Create a PKCS#12 file from the new certificate and its private key found in newreq.pem # and place in file specified on the command line openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out $1.p12 -clcerts -passin pass:whatever -passout pass:whatever # parse the PKCS#12 file just created and produce a PEM format certificate and key in certsrv.pem openssl pkcs12 -in $1.p12 -out $1.pem -passin pass:whatever -passout pass:whatever # Convert certificate from PEM format to DER format openssl x509 -inform PEM -outform DER -in $1.pem -out $1.der # Clean Up rm -rf newert.pem newreq.pem CA.clt - Client certificate generation script. #!/bin/sh SSL=/usr/local/openssl-certgen export PATH=${SSL}/bin/:${SSL}/ssl/misc:${PATH} export LD_LIBRARY_PATH=${SSL}/lib echo "*************************************************************************** ******" echo "Creating client private key and certificate" echo "When prompted enter the client name in the Common Name field. This is the same" echo " used as the Username in FreeRADIUS" echo "*************************************************************************** ******" echo # Request a new PKCS#10 certificate. # First, newreq.pem will be overwritten with the new certificate request openssl req -new -keyout newreq.pem -out newreq.pem -passin pass:whatever -passout pass:whatever # Sign the certificate request. The policy is defined in the openssl.cnf file. # The request generated in the previous step is specified with the -infiles option and # the output is in newcert.pem # The -extensions option is necessary to add the OID for the extended key for client authentication openssl ca -policy policy_anything -out newcert.pem -passin pass:whatever -key whatever -extensions xpclient_ext -extfile xpextensions -infiles newreq.pem # Create a PKCS#12 file from the new certificate and its private key found in newreq.pem # and place in file specified on the command line openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out $1.p12 -clcerts -passin pass:whatever -passout pass:whatever # parse the PKCS#12 file just created and produce a PEM format certificate and key in certclt.pem openssl pkcs12 -in $1.p12 -out $1.pem -passin pass:whatever -passout pass:whatever # Convert certificate from PEM format to DER format openssl x509 -inform PEM -outform DER -in $1.pem -out $1.der # clean up rm -rf newcert newreq.pem Please advice... Thanks... arniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html