Re: certificates confusion
[EMAIL PROTECTED] wrote: >> There is also an unrelated problem that causes the CA to only last 30 >> days. See here http://bugs.freeradius.org/show_bug.cgi?id=615 >> > > Hm, I was under the impression that this was sorted: No. I've just pushed some fixes to git.freeradius.org. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: certificates confusion
That'll work too. But as-of 2.1.1 the release is still un-patched. -Ted- [EMAIL PROTECTED] wrote: There is also an unrelated problem that causes the CA to only last 30 days. See here http://bugs.freeradius.org/show_bug.cgi?id=615 Hm, I was under the impression that this was sorted: http://lists.freeradius.org/pipermail/freeradius-users/2008-September/msg00653.html That solution works. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: certificates confusion
>There is also an unrelated problem that causes the CA to only last 30 >days. See here http://bugs.freeradius.org/show_bug.cgi?id=615 > Hm, I was under the impression that this was sorted: http://lists.freeradius.org/pipermail/freeradius-users/2008-September/msg00653.html That solution works. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: certificates confusion
Is tinyca able to add the OID's supposedly required for Windows? -Ted- Paul Bartell wrote: tinyca is a nice graphical interface for linux with openssl in the backend. Its much easier than remembering all the openssl commands needed, especially when you dont add/revoke certificates all the time. On Mon, Nov 24, 2008 at 1:18 PM, Craig White <[EMAIL PROTECTED]> wrote: please excuse me if this isn't entirely related to freeradius but it's all about getting WindowsXP laptops to my wireless network with freeradius and 8021.x I see that there is certificate failures and am thinking that I need to clean this up up until now, server2 is my ca and I have used that to generate and sign certificates. my radius server though is running on server1 and I think that my failure is related to the fact that I'm generating the certificates and signing them with server2. So my questions... 1. Do I set up server1 to be its own CA or do I still use server2 as the CA? 2. If server2 is the CA, do I then generate the request on server1, copy it to server2 and then sign it on server2? 3. Does anyone see any problems with these methods of generating certificates ? (openssl on Linux) # Generate server certificate signing request openssl req -new -nodes -keyout $SSL/radius_server_key.pem \ -out $SSL/radius_server_req.pem \ -days 730 \ -config $SSL/openssl.cnf # Sign server certificate openssl ca -config $SSL/openssl.cnf \ -policy policy_anything \ -out radius_server_cert.pem \ -extensions xpserver_ext \ -extfile $SSL/xpextensions \ -infiles $SSL/radius_server_req.pem # Edit out text information in radius_server_cert.pem and then run # cat $SSL/radius_server_key.pem \ # $SSL/radius_server_cert.pem > \ # $SSL/radius_server_keycert.pem # Generate client certificates # openssl req -new -keyout $SSL/radius_client_key.pem \ -out $SSL/radius_client_req.pem \ -days 730 \ -config $SSL/openssl.cnf # Sign client certificates openssl ca -config $SSL/openssl.cnf \ -policy policy_anything \ -out $SSL/radius_client_cert.pem \ -extensions xpclient_ext \ -extfile $SSL/xpextensions \ -infiles $SSL/radius_client_req.pem # cat $SSL/radius_client_key.pem $SSL/radius_client_cert.pem > $SSL/radius_client_keycert.pem Thanks Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: certificates confusion
tinyca is a nice graphical interface for linux with openssl in the backend. Its much easier than remembering all the openssl commands needed, especially when you dont add/revoke certificates all the time. On Mon, Nov 24, 2008 at 1:18 PM, Craig White <[EMAIL PROTECTED]> wrote: > please excuse me if this isn't entirely related to freeradius but it's > all about getting WindowsXP laptops to my wireless network with > freeradius and 8021.x > > I see that there is certificate failures and am thinking that I need to > clean this up > > up until now, server2 is my ca and I have used that to generate and sign > certificates. > > my radius server though is running on server1 and I think that my > failure is related to the fact that I'm generating the certificates and > signing them with server2. > > So my questions... > > 1. Do I set up server1 to be its own CA or do I still use server2 as the > CA? > > 2. If server2 is the CA, do I then generate the request on server1, copy > it to server2 and then sign it on server2? > > 3. Does anyone see any problems with these methods of generating > certificates ? (openssl on Linux) > > # Generate server certificate signing request > openssl req -new -nodes -keyout $SSL/radius_server_key.pem \ > -out $SSL/radius_server_req.pem \ > -days 730 \ > -config $SSL/openssl.cnf > > # Sign server certificate > openssl ca -config $SSL/openssl.cnf \ > -policy policy_anything \ > -out radius_server_cert.pem \ > -extensions xpserver_ext \ > -extfile $SSL/xpextensions \ > -infiles $SSL/radius_server_req.pem > > # Edit out text information in radius_server_cert.pem and then run > # cat $SSL/radius_server_key.pem \ > # $SSL/radius_server_cert.pem > \ > # $SSL/radius_server_keycert.pem > > # Generate client certificates > # > openssl req -new -keyout $SSL/radius_client_key.pem \ > -out $SSL/radius_client_req.pem \ > -days 730 \ > -config $SSL/openssl.cnf > > # Sign client certificates > openssl ca -config $SSL/openssl.cnf \ > -policy policy_anything \ > -out $SSL/radius_client_cert.pem \ > -extensions xpclient_ext \ > -extfile $SSL/xpextensions \ > -infiles $SSL/radius_client_req.pem > # > cat $SSL/radius_client_key.pem $SSL/radius_client_cert.pem > > $SSL/radius_client_keycert.pem > > Thanks > > Craig > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Random quote of the week/month/whenever i get to updating it: "Opportunity knocked. My doorman threw him out." - Adrienne Gusoff "At school you don't get parole, good behavior only brings a longer sentence." - The History Boys - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: certificates confusion
/certs does not work as-is. See http://bugs.freeradius.org/show_bug.cgi?id=614 I fixed mine by changing the script to sign the client with the CA in stead of the server. While there are a number of way to go about it this was the most expedient. There is also an unrelated problem that causes the CA to only last 30 days. See here http://bugs.freeradius.org/show_bug.cgi?id=615 Use /certs with care! -Ted- [EMAIL PROTECTED] wrote: my radius server though is running on server1 and I think that my failure is related to the fact that I'm generating the certificates and signing them with server2. Yes. Same CA has to be used for server and client certificates. So my questions... 1. Do I set up server1 to be its own CA or do I still use server2 as the CA? Both ways can work. 2. If server2 is the CA, do I then generate the request on server1, copy it to server2 and then sign it on server2? Or you can copy the CA certificate to server1, generate csr and sign it there. 3. Does anyone see any problems with these methods of generating certificates ? (openssl on Linux) You have such stuff in freeradius /certs directory. Feel free to compare. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: certificates confusion
>my radius server though is running on server1 and I think that my >failure is related to the fact that I'm generating the certificates and >signing them with server2. > Yes. Same CA has to be used for server and client certificates. >So my questions... > >1. Do I set up server1 to be its own CA or do I still use server2 as the >CA? > Both ways can work. >2. If server2 is the CA, do I then generate the request on server1, copy >it to server2 and then sign it on server2? > Or you can copy the CA certificate to server1, generate csr and sign it there. >3. Does anyone see any problems with these methods of generating >certificates ? (openssl on Linux) > You have such stuff in freeradius /certs directory. Feel free to compare. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
certificates confusion
please excuse me if this isn't entirely related to freeradius but it's all about getting WindowsXP laptops to my wireless network with freeradius and 8021.x I see that there is certificate failures and am thinking that I need to clean this up up until now, server2 is my ca and I have used that to generate and sign certificates. my radius server though is running on server1 and I think that my failure is related to the fact that I'm generating the certificates and signing them with server2. So my questions... 1. Do I set up server1 to be its own CA or do I still use server2 as the CA? 2. If server2 is the CA, do I then generate the request on server1, copy it to server2 and then sign it on server2? 3. Does anyone see any problems with these methods of generating certificates ? (openssl on Linux) # Generate server certificate signing request openssl req -new -nodes -keyout $SSL/radius_server_key.pem \ -out $SSL/radius_server_req.pem \ -days 730 \ -config $SSL/openssl.cnf # Sign server certificate openssl ca -config $SSL/openssl.cnf \ -policy policy_anything \ -out radius_server_cert.pem \ -extensions xpserver_ext \ -extfile $SSL/xpextensions \ -infiles $SSL/radius_server_req.pem # Edit out text information in radius_server_cert.pem and then run # cat $SSL/radius_server_key.pem \ # $SSL/radius_server_cert.pem > \ # $SSL/radius_server_keycert.pem # Generate client certificates # openssl req -new -keyout $SSL/radius_client_key.pem \ -out $SSL/radius_client_req.pem \ -days 730 \ -config $SSL/openssl.cnf # Sign client certificates openssl ca -config $SSL/openssl.cnf \ -policy policy_anything \ -out $SSL/radius_client_cert.pem \ -extensions xpclient_ext \ -extfile $SSL/xpextensions \ -infiles $SSL/radius_client_req.pem # cat $SSL/radius_client_key.pem $SSL/radius_client_cert.pem > $SSL/radius_client_keycert.pem Thanks Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html