Hi, You will need to purchase a Unified Communications certificate from a CA.
To generate the CSR, here is the guide: http://langui.sh/2009/02/27/creating-a-subjectaltname-sanucc-csr/ Regards, Muhammad Nuzaihan Bin Kamal Luddin On Tue, 2013-04-02 at 16:22 +0100, Phil Mayers wrote: > On 02/04/2013 15:22, Rudolf Henze wrote: > > Hi, > > Iam using freeradius 2.1.10 with a self-signed certificate with PEAP and > > mschapv2 and LDAP-authentification. > > Ive copied my CA-Certificate to all clients to be sure that Iam using > > really the right network and not a fake SSID. > > > > But this is a little inconvenient. Is it possible to use a "real" > > certificate. What do I bear in mind for that? > > Several things: > > First, anyone can get certs from public CAs, so you should ensure that > your client is a) validating the server cert against the specific CA and > b) validating the cert CN. Otherwise you are vulnerable to SSID spoofing > and credential capture. Note that some platforms (Android?) can't > validate cert CN, so can't be made secure. > > Second, your cert will need to have the right OIDs and such. If you want > it to be "hassle free" deployment, it'll need to be from a CA widely > trusted by your client base, and ideally one that's easy to identify - > specifically easy to pick from the "validate cert" list. Verisign have > been bad at this - they've got lots of certs with "friendly" names all > starting "VeriSign Class 3" which get truncated on narrow (mobile) > screens. Guess the cert! > > Third, note that commercial CAs have a nasty habit of rotating their > intermediate and top-level certs far more often than you would expect. > We're in the irritating position of having a public cert (to avoid the > deployment nightmare of a private cert on >10k unmanaged devices) and > Verisign have just changed their root cert, despite it having 7 more > years to run. So, all of those clients now have to re-trust the cert. > > Sigh. X.509 really is the pits... It's a shame the TLS-based EAP methods > are the only vaguely usable ones. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html