Hi guys,
I am implementing wireless EAP-TLS with freeradius authentication. It has
been running already for a month now until one day all of my clients can no
longer authenticate. Then I found out that the root certificate has
expired.. it is only good for one month. My temporary solution for now is to
run root.der again from my server and generate ca.clt for my clients
again... the client certificate is good for one year as what i defined from
my openssl.conf.
Just want to ask if how to make a root.der certificate to extend to more
that one month? Please see attached script..
CA.root - Certificate Authority Generation.
#!/bin/sh
SSL=/usr/local/openssl-certgen
export PATH=${SSL}/bin/:${SSL}/ssl/misc:${PATH}
export LD_LIBRARY_PATH=${SSL}/lib
# needed if you need to start from scratch otherwise the CA.pl -newca
command doesn't copy the new
# private key into the CA directories
rm -rf demoCA
echo
"***************************************************************************
******"
echo "Creating self-signed private key and certificate"
echo "When prompted override the default value for the Common Name field"
echo
"***************************************************************************
******"
echo
# Generate a new self-signed certificate.
# After invocation, newreq.pem will contain a private key and certificate
# newreq.pem will be used in the next step
openssl req -new -x509 -keyout newreq.pem -out newreq.pem -passin
pass:whatever -passout pass:whatever
echo
"***************************************************************************
******"
echo "Creating a new CA hierarchy (used later by the "ca" command) with the
certificate"
echo "and private key created in the last step"
echo
"***************************************************************************
******"
echo
echo "newreq.pem" | CA.pl -newca >/dev/null
echo
"***************************************************************************
******"
echo "Creating ROOT CA"
echo
"***************************************************************************
******"
echo
# Create a PKCS#12 file, using the previously created CA certificate/key
# The certificate in demoCA/cacert.pem is the same as in newreq.pem. Instead
of
# using "-in demoCA/cacert.pem" we could have used "-in newreq.pem" and then
omitted
# the "-inkey newreq.pem" because newreq.pem contains both the private key
and certificate
openssl pkcs12 -export -in demoCA/cacert.pem -inkey newreq.pem -out
root.p12 -cacerts -passin pass:whatever -passout pass:whatever
# parse the PKCS#12 file just created and produce a PEM format certificate
and key in root.pem
openssl pkcs12 -in root.p12 -out root.pem -passin pass:whatever -passout
pass:whatever
# Convert root certificate from PEM format to DER format
openssl x509 -inform PEM -outform DER -in root.pem -out root.der
#Clean Up
rm -rf newreq.pem
CA.svr - Server certificate generation script.
#!/bin/sh
SSL=/usr/local/openssl-certgen
export PATH=${SSL}/bin/:${SSL}/ssl/misc:${PATH}
export LD_LIBRARY_PATH=${SSL}/lib
echo
"***************************************************************************
******"
echo "Creating server private key and certificate"
echo "When prompted enter the server name in the Common Name field."
echo
"***************************************************************************
******"
echo
# Request a new PKCS#10 certificate.
# First, newreq.pem will be overwritten with the new certificate request
openssl req -new -keyout newreq.pem -out newreq.pem -passin
pass:whatever -passout pass:whatever
# Sign the certificate request. The policy is defined in the openssl.cnf
file.
# The request generated in the previous step is specified with the -infiles
option and
# the output is in newcert.pem
# The -extensions option is necessary to add the OID for the extended key
for server authentication
openssl ca -policy policy_anything -out newcert.pem -passin
pass:whatever -key whatever -extensions xpserver_ext -extfile
xpextensions -infiles newreq.pem
# Create a PKCS#12 file from the new certificate and its private key found
in newreq.pem
# and place in file specified on the command line
openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out
$1.p12 -clcerts -passin pass:whatever -passout pass:whatever
# parse the PKCS#12 file just created and produce a PEM format certificate
and key in certsrv.pem
openssl pkcs12 -in $1.p12 -out $1.pem -passin pass:whatever -passout
pass:whatever
# Convert certificate from PEM format to DER format
openssl x509 -inform PEM -outform DER -in $1.pem -out $1.der
# Clean Up
rm -rf newert.pem newreq.pem
CA.clt - Client certificate generation script.
#!/bin/sh
SSL=/usr/local/openssl-certgen
export PATH=${SSL}/bin/:${SSL}/ssl/misc:${PATH}
export LD_LIBRARY_PATH=${SSL}/lib
echo
"***************************************************************************
******"
echo "Creating client private key and certificate"
echo "When prompted enter the client name in the Common Name field. This is
the same"
echo " used as the Username in FreeRADIUS"
echo
"***************************************************************************
******"
echo
# Request a new PKCS#10 certificate.
# First, newreq.pem will be overwritten with the new certificate request
openssl req -new -keyout newreq.pem -out newreq.pem -passin
pass:whatever -passout pass:whatever
# Sign the certificate request. The policy is defined in the openssl.cnf
file.
# The request generated in the previous step is specified with the -infiles
option and
# the output is in newcert.pem
# The -extensions option is necessary to add the OID for the extended key
for client authentication
openssl ca -policy policy_anything -out newcert.pem -passin
pass:whatever -key whatever -extensions xpclient_ext -extfile
xpextensions -infiles newreq.pem
# Create a PKCS#12 file from the new certificate and its private key found
in newreq.pem
# and place in file specified on the command line
openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out
$1.p12 -clcerts -passin pass:whatever -passout pass:whatever
# parse the PKCS#12 file just created and produce a PEM format certificate
and key in certclt.pem
openssl pkcs12 -in $1.p12 -out $1.pem -passin pass:whatever -passout
pass:whatever
# Convert certificate from PEM format to DER format
openssl x509 -inform PEM -outform DER -in $1.pem -out $1.der
# clean up
rm -rf newcert newreq.pem
Please advice...
Thanks...
arniel
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
