Matt Harlum wrote: > > Hi, > > John covered pretty much everything I was going to say > > I'd recommend choosing a machine to generate your keys and certs on and > sticking with that, otherwise you'll end up with SSL Certs with clashing > serial numbers > Plus it'll allow you to revoke certificates later if need be > > > Regards, > Matt Harlum > > On 24/03/2010, at 11:30 PM, John Dennis wrote: > >> On 03/24/2010 06:21 AM, sphaero wrote: >>> >>> Hi All, >>> >>> I've been searching the archives for a while on some guidance into >>> setting >>> up multiple radius servers using the same CA for use with EAP/TTLS. >>> >>> I've generated a CA which is distributed to all the clients (i.e. >>> SecureW2). >>> I've got 2 radius servers for redundancy. All NAS devices have two >>> radius >>> server configured. >>> >>> I'm using the scripts from freeradius 2.0 to generate the certificates >>> according to instructions in the README. I've setup the ca.cnf and >>> server.cnf (not using eap/tls so I skip clients.cf). >>> >>> On the primary radius server I generated the certificates by issuing: >>> make >>> >>> Now on the second radius server I just copy the following files: >>> /certs/ca.pem >>> /certs/ca.key >>> /certs/ca.der >>> /certs/*.cnf >>> /certs/Makefile >>> /certs/README >>> /certs/xpextensions >>> >>> and issue: >>> make server >>> make dh >>> >>> This seems to have worked. But is this really correct? >>> I'm renewing one radius server and did this procedure again but now I'm >>> receiving "chain could not be validated" errors in SecureW2. Radius log >>> seems fine however EAP communication is not finished which corresponds >>> with >>> the client stopping communication since it can't validate the >>> certificate. >>> I'm really getting lost in the SSL jungle? I would really like to >>> understand >>> how this is done right, since it is about security. >> >> It would help to read the Makefile and understand it. Your goal is to >> produce multiple certificates, each with a unique subject (e.g. the host >> name of the radius server) and have it signed by the ca. There is no need >> to do this process on each machine, the creation of certs can be done on >> any machine. >> >> Find the part of the Makefile which says this: >> >> "Create a new server certificate, signed by the above CA." >> >> If you make the target server.pem target (e.g. make server) it will cause >> the Makefile to execute a series of commands to produce the certificate >> starting with a CSR (Certificate Signing Request). Note, the server.csr >> target depends on server.cnf so make sure you edit this for each server >> whose certificate you want to generate (see the req(1) man page to >> understand how the certificate subject, e.g. DN, may be specified). >> >> But also note in the Makefile that server.crt is dependent on ca.key and >> ca.pem, which themselves are dependent on ca.cnf. If when you copy the >> files the ca.cnf file ends up with a newer timestamp than ca.key or >> ca.pem then a new ca will be created, you don't want that. You can either >> fix the timestamps using touch or just make all the certs on one machine >> so you don't have to worry about the ca being recreated. >> >> >> After you've created your certificates on the one machine (don't foget to >> rename the server.{crt,p12,pem} files) dump them out using >> >> openssl x509 -in XXX.pem -inform PEM -text >> >> and verify each has the certificate subject you expected. >> >> Then verify the each cert with: >> >> openssl verify -CAfile ca.pem XXX.pem >> >> If that succeeds you'll know each is successfully signed by the same ca >> and you can distribute that ca to your clients. Then copy your server >> certs to your RADIUS hosts, don't forget to edit the config so >> certificate names match how you named your certs (it will no longer be >> server.{crt,p12,pem}. >> -- >> John Dennis <jden...@redhat.com> >> >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> - > >
Hi all, Thanks for these clarifications. So to clear this up I know have one machine to generate the certificates. This machine had it's CA setup according to instructions found in the certs/README distributed with FR 2. Certificates for a second radius server (radius2) using the same CA are generated as follow: # Certificate request (.csr) en key (.key) openssl req -new -out radius2.csr -keyout lx0008.key -config ./server.cnf # Certificate (.crt) openssl ca -batch -keyfile ca.key -cert ca.pem -in radius2.csr -key $PASSWORD_CA -out radius2.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf # p12 openssl pkcs12 -export -in radius2.crt -inkey radius2.key -out radius2.p12 -passin pass:$PASSWORD_SERVER -passout pass:$PASSWORD_SERVER # PEM openssl pkcs12 -in radius2.p12 -out radius2.pem -passin pass:$PASSWORD_SERVER -passout pass:$PASSWORD_SERVER (Ofcourse the password vars are replaced with the vars in the ca.cnf & server.cnf) I then copy the following files onto this second radius server: radius2.pem and ca.pem Finally I generate a dh file on the second radius server: openssl dhparam -out dh 1024 Bump, still doesn't work :( I'm still doing something wrong? Rg, Arnaud -- View this message in context: http://old.nabble.com/Multiple-radius-servers-with-the-same-CA-tp28013061p28015932.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html