On 03/24/2010 11:13 AM, sphaero wrote:
Matt Harlum wrote:
Hi,
John covered pretty much everything I was going to say
I'd recommend choosing a machine to generate your keys and certs on and
sticking with that, otherwise you'll end up with SSL Certs with clashing
serial numbers
Plus it'll allow you to revoke certificates later if need be
Regards,
Matt Harlum
On 24/03/2010, at 11:30 PM, John Dennis wrote:
On 03/24/2010 06:21 AM, sphaero wrote:
Hi All,
I've been searching the archives for a while on some guidance into
setting
up multiple radius servers using the same CA for use with EAP/TTLS.
I've generated a CA which is distributed to all the clients (i.e.
SecureW2).
I've got 2 radius servers for redundancy. All NAS devices have two
radius
server configured.
I'm using the scripts from freeradius 2.0 to generate the certificates
according to instructions in the README. I've setup the ca.cnf and
server.cnf (not using eap/tls so I skip clients.cf).
On the primary radius server I generated the certificates by issuing:
make
Now on the second radius server I just copy the following files:
/certs/ca.pem
/certs/ca.key
/certs/ca.der
/certs/*.cnf
/certs/Makefile
/certs/README
/certs/xpextensions
and issue:
make server
make dh
This seems to have worked. But is this really correct?
I'm renewing one radius server and did this procedure again but now I'm
receiving "chain could not be validated" errors in SecureW2. Radius log
seems fine however EAP communication is not finished which corresponds
with
the client stopping communication since it can't validate the
certificate.
I'm really getting lost in the SSL jungle? I would really like to
understand
how this is done right, since it is about security.
It would help to read the Makefile and understand it. Your goal is to
produce multiple certificates, each with a unique subject (e.g. the host
name of the radius server) and have it signed by the ca. There is no need
to do this process on each machine, the creation of certs can be done on
any machine.
Find the part of the Makefile which says this:
"Create a new server certificate, signed by the above CA."
If you make the target server.pem target (e.g. make server) it will cause
the Makefile to execute a series of commands to produce the certificate
starting with a CSR (Certificate Signing Request). Note, the server.csr
target depends on server.cnf so make sure you edit this for each server
whose certificate you want to generate (see the req(1) man page to
understand how the certificate subject, e.g. DN, may be specified).
But also note in the Makefile that server.crt is dependent on ca.key and
ca.pem, which themselves are dependent on ca.cnf. If when you copy the
files the ca.cnf file ends up with a newer timestamp than ca.key or
ca.pem then a new ca will be created, you don't want that. You can either
fix the timestamps using touch or just make all the certs on one machine
so you don't have to worry about the ca being recreated.
After you've created your certificates on the one machine (don't foget to
rename the server.{crt,p12,pem} files) dump them out using
openssl x509 -in XXX.pem -inform PEM -text
and verify each has the certificate subject you expected.
Then verify the each cert with:
openssl verify -CAfile ca.pem XXX.pem
If that succeeds you'll know each is successfully signed by the same ca
and you can distribute that ca to your clients. Then copy your server
certs to your RADIUS hosts, don't forget to edit the config so
certificate names match how you named your certs (it will no longer be
server.{crt,p12,pem}.
--
John Dennis<jden...@redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
Hi all,
Thanks for these clarifications. So to clear this up I know have one machine
to generate the certificates. This machine had it's CA setup according to
instructions found in the certs/README distributed with FR 2.
Certificates for a second radius server (radius2) using the same CA are
generated as follow:
# Certificate request (.csr) en key (.key)
openssl req -new -out radius2.csr -keyout lx0008.key -config ./server.cnf
# Certificate (.crt)
openssl ca -batch -keyfile ca.key -cert ca.pem -in radius2.csr -key
$PASSWORD_CA -out radius2.crt -extensions xpserver_ext -extfile xpextensions
-config ./server.cnf
# p12
openssl pkcs12 -export -in radius2.crt -inkey radius2.key -out radius2.p12
-passin pass:$PASSWORD_SERVER -passout pass:$PASSWORD_SERVER
# PEM
openssl pkcs12 -in radius2.p12 -out radius2.pem -passin
pass:$PASSWORD_SERVER -passout pass:$PASSWORD_SERVER
(Ofcourse the password vars are replaced with the vars in the ca.cnf&
server.cnf)
I then copy the following files onto this second radius server:
radius2.pem and ca.pem
Finally I generate a dh file on the second radius server:
openssl dhparam -out dh 1024
Bump, still doesn't work :(
I'm still doing something wrong?
Did you edit your eap.conf file to point to radius2.pem? Did you set
your private_key_password in eap.conf to match $PASSWORD_CA used above?
BTW, don't use the same password as in the example ;-)
Did you verify the certs as suggested above?
Saying something doesn't work isn't helpful, the log output would be
helpful.
--
John Dennis <jden...@redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
