Adding a signed certificate from a signing authority

[Iain Grant]

Apologies I seem to be hogging this today.

My radius server is working fine, so now I want to add a signed
certificate from a certificate authority.
Are there any pointers on how to do this.

I have found and carried out the steps on the wiki site around using
snake oil certificates and then creating your own producution
certificates. But I now would like to add the externally signed
certificate for added security.

Thanks again 

Iain


__
SCRI, Invergowrie, Dundee, DD2 5DA.  
The Scottish Crop Research Institute is a charitable company limited by 
guarantee. 
Registered in Scotland No: SC 29367.
Recognised by the Inland Revenue as a Scottish Charity No: SC 006662.


DISCLAIMER:

This email is from the Scottish Crop Research Institute, but the views 
expressed by the sender are not necessarily the views of SCRI and its 
subsidiaries.  This email and any files transmitted with it are confidential to 
the intended recipient at the e-mail address to which it has been addressed.  
It may not be disclosed or used by any other than that addressee.
If you are not the intended recipient you are requested to preserve this 
confidentiality and you must not use, disclose, copy, print or rely on this 
e-mail in any way. Please notify postmas...@scri.ac.uk quoting the name of the 
sender and delete the email from your system.

Although SCRI has taken reasonable precautions to ensure no viruses are present 
in this email, neither the Institute nor the sender accepts any responsibility 
for any viruses, and it is your responsibility to scan the email and the 
attachments (if any).
__-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Adding a signed certificate from a signing authority

[Alan Buxey]

Hi,

 I have found and carried out the steps on the wiki site around using “snake 
 oil” certificates and then creating your own producution certificates. But I 
 now would like to add the externally signed certificate for added security.

surejust put the relevant files into the right place...and edit
the eap.conf accordingly. you will need the server cert and the CA..
if the CA is a chained cert, then you'll need the CA and its next up
9and its next up and its next up etc) concatenated in the same single
file.  theres nothing magical about using real certs...these days
it seems some real world certs are just as work-causing/onerous as
'snake oil' certs.   personally, I fall into the 'closed loop' camp
which believes that using your own CA is more secure than some random
external CA that anyone can get a cert fromnoone else but your users
will authenticate against your RADIUS server (external visitors get proxied
and only have to trust their home RADIUS)and, as previously mentioned,
lots of current external 3rd parties require you to update/change/install
certs on the client (take the recent TERENA SSLs served by JANET for 
example.)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html