the truth is that follow in the footsteps of the file certs / readme
I looked at the howto - http://freeradius.org/doc/EAPTLS.pdf and says
nothing of the buildup of certificates. I follow these steps:
README
***
This directory contains scripts to create the server certificates.
To make a set of default (i.e. test) certificates, simply type:
$ ./bootstrap
The openssl command will be run against the sample configuration
files included here, and will make a self-signed certificate authority
(i.e. root CA), and a server certificate. This root CA should be
installed on any client machine needing to do EAP-TLS, PEAP, or
EAP-TTLS.
The Microsoft XP Extensions will be automatically included in the
server certificate. Without those extensions Windows clients will
refuse to authenticate to FreeRADIUS.
In general, you should use self-signed certificates for 802.1x (EAP)
authentication. When you list root CAs from other organizations in
the CA_file, you permit them to masquerade as you, to authenticate
your users, and to issue client certificates for EAP-TLS.
If FreeRADIUS was configured to use OpenSSL, then simply starting
the server in root in debugging mode should also create test
certificates, i.e.:
$ radiusd -X
That will cause the EAP-TLS module to run the bootstrap script in
this directory. The script will be executed only once, the first time
the server has been installed on a particular machine. This bootstrap
script SHOULD be run on installation of any pre-built binary package
for your OS. In any case, the script will ensure that it is not run
twice, and that it does not over-write any existing certificates.
If you already have CA and server certificates, rename (or delete)
this directory, and create a new certs directory containing your
certificates. Note that the make install command will NOT
over-write your existing raddb/certs directory, which means that the
bootstrap command will not be run.
NEW INSTALLATIONS OF FREERADIUS
We suggest that new installations use the test certificates for
initial tests, and then create real certificates to use for normal
user authentication. See the instructions below for how to create the
various certificates. The old test certificates can be deleted by
running the following command:
$ rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt*
Then, follow the instructions below for creating real certificates.
Once the final certificates have been created, you can delete the
bootstrap command from this directory, and delete the
make_cert_command configuration from the tls sub-section of
eap.conf.
If you do not want to enable EAP-TLS, PEAP, or EAP-TTLS, then delete
the relevant sub-sections from the eap.conf file.
MAKING A ROOT CERTIFICATE
$ vi ca.cnf
Edit the input_password and output_password fields to be the
password for the CA certificate.
Edit the [certificate_authority] section to have the correct values
for your country, state, etc.
$ make ca.pem
This step creates the CA certificate.
$ make ca.der
This step creates the DER format of the self-signed certificate,
which is can be imported into Windows.
MAKING A SERVER CERTIFICATE
$ vi server.cnf
Edit the input_password and output_password fields to be the
password for the server certificate.
Edit the [server] section to have the correct values for your
country, state, etc. Be sure that the commonName field here is
different from the commonName for the CA certificate.
$ make server.pem
This step creates the server certificate.
If you have an existing certificate authority, and wish to create a
certificate signing request for the server certificate, edit
server.cnf as above, and type the following command.
$ make server.csr
You will have to ensure that the certificate contains the XP
extensions needed by Microsoft clients.
MAKING A CLIENT CERTIFICATE
Client certificates are used by EAP-TLS, and optionally by EAP-TTLS
and PEAP. The following steps outline how to create a client
certificate that is signed by the server certificate created above.
You will have to have the password for the server certificate in the
input_password and output_password fields of the server.cnf file.
$ vi client.cnf
Edit the input_password and output_password fields to be the
password for the client certificate. You will have to give these
passwords to the end user who will be using the certificates.
Edit the [client] section to have the correct values for your
country, state, etc. Be sure that the commonName field here is
the User-Name that will be used for logins!
$ make client.pem
The users certificate will be in commonName.pem,
i.e. [EMAIL PROTECTED].
To create another client certificate, just repeat the steps for
making a client certificate,