Thanks for your response. I downloaded my cacert.pem and imported it into my
xp client as a trusted root authority and that did not help. Here are the
steps I took to create my certs. Remember I am trying to use PEAP. Thanks
Here's what I did to create the certs.
rhel as 4.0
freeradius 1.0.4
On my freeradius server I went to:
/usr/share/ssl/openssl.cnf
changed dir = ./productionCA
changed countryName_default = US
changed stateOrProviceName_default = Missouri
changed localityName_default = Warrensburg
changed 0.organizationName_default = CMSU
changed organizationalUnitName_default = Information Services
changed commonName_default = Wireless
changed emailAddress_default = [EMAIL PROTECTED]
changed challengePassword_default = password
I saved the file.
Then I went into /usr/share/ssl/misc/CA and changed
CATOP=./productionCA
Then I went back into the usr/share/ssl directory and ran
/usr/share/ssl/misc/CA -newca
Entered my passphrase password
Verified password
Hit the default of US for Country name
Hit the default of MIssouri for state name
Hit the default of Warrensburg for state name
Hit the default of CMSU for organization name
Hit the defaut of Information Services for organizational unit name
Hit the default of WIRELESS for the common name
Hit the default of [EMAIL PROTECTED] for the email address
Now I have my new root certificate (cacert.pem) and private key (cakey.pem).
In my /usr/share/ssl/productionCA directory I have
-rw-r--r-- 1 root root 1346 Aug 16 14:54 cacert.pem
drwxr-xr-x 2 root root 4096 Aug 16 14:52 certs
drwxr-xr-x 2 root root 4096 Aug 16 14:52 crl
-rw-r--r-- 1 root root0 Aug 16 14:52 index.txt
drwxr-xr-x 2 root root 4096 Aug 16 14:52 newcerts
drwxr-xr-x 2 root root 4096 Aug 16 14:52 private
-rw-r--r-- 1 root root3 Aug 16 14:52 serial
In the private directory I have:
-rw-r--r-- 1 root root 963 Aug 16 14:54 cakey.pem
Now I create my server certificate, but first I must create the xpextensions
file because WindowsXP expects certain attributes in server and client
certificates.
Contents of xpextensions
[ xpserver_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
Now I run:
openssl req -new -keyout server_key.pem -out server_req.pem -days 730 -config
openssl.cnf
This asks for the PEM pass phrase:
So I enter password
I verify password
Hit the default of US for Country name
Hit the default of MIssouri for state name
Hit the default of Warrensburg for state name
Hit the default of CMSU for organization name
Hit the defaut of Information Services for organizational unit name
Enter in server.cmsu.edu for the common name
Hit the default of [EMAIL PROTECTED] for the email address
It asks for a challenge password so I type in password
It asks for a optional company name and I hit enter for nothing.
This creates the files server_req.pem which contains the actual request-an
unsigned certificate and server_key.pem the private key.
Now I will use the ca key to sign the request.
openssl ca -config openssl.cnf -policy_anything -out server_cert.pem
-extensions xpserver_ext -extfile xpextensions -infiles server_req.pem
This asks for the pass phrase for /productionCA/private/cakey.pem
I type in password
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Aug 16 20:09:23 2005 GMT
Not After : Aug 16 20:09:23 2006 GMT
Subject:
countryName = US
stateOrProvinceName = Missouri
localityName = Warrensburg
organizationName = CMSU
organizationalUnitName= Information Services
commonName= server.cmsu.edu
emailAddress = [EMAIL PROTECTED]
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication
Certificate is to be certified until Aug 16 20:09:23 2006 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
This command reads the file server_req.pem and after prompting for my CA key's
passphrase, saves a signed version of it plus its corresponding private key to
the file server_cert.pem.
Now I opend up my signed certificate server_cert.pem and delete everything
before the line BEGIN CERTIFICATE
Now I concatenate it and my key into a single file by typing:
cat server_key.pem server_cert.pem server_keycert.pem
Next I copy the server_keycert.pem file and cacert.pem file over to my certs
directory.
Whie in this directory I run these two commands to create the dh file and
random file.
openssl dhparam -check -text -5 512 -out dh
dd if=/dev/urandom of=random count=2
my eap.conf file
tls {
private_key_password = password
private_key_file = ${raddbdir}/certs/server_keycert.pem
