RE: [WIRELESS-LAN] PEAP cert signed by 3rd party CA
Thank You With this command I was able to get exactly what I needed. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of James JJ Hooper Sent: Tuesday, December 11, 2012 6:13 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] PEAP cert signed by 3rd party CA On 11 December 2012 22:19, Hurt,Trenton W. wrote: > No I’m actually using Idengines. I have exported including the key, > and now have a .pfx file. I need a .pem and private key file from the > pfx file. I have tried a few different openssl commands on the pfx > file, but have yet to get the right combo for the server. > IIRC+AFAIK IdEngines uses freeradius underneath. If that's true you can do: openssl pkcs12 -in yourcert.pfx -out cert-with-key.pem –nodes to get your key and certificate in PEM format in one file. Then split cert-with-key.pem in to two files [e.g. duplicate the file and delete the bit you don't want from each with a text editor] - one file then has just your private key in it, one then has just your server-cert in it. Then add the root ca cert and any chaining certs to your server cert *in order* (server-cert first [top of file], then any chaining [in order], then root [bottom of file]) e.g. cat my-server.pem chain1.pem chain2.pem root.pem > combined.pem The combined.pem and your-key.pem should be the two files you need. Kind regards, James -- James J J Hooper Senior Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] PEAP cert signed by 3rd party CA
On 11 December 2012 22:19, Hurt,Trenton W. wrote: > No I’m actually using Idengines. I have exported including the key, and now > have a .pfx file. I need a .pem and private key file from the pfx file. I > have tried a few different openssl commands on the pfx file, but have yet to > get the right combo for the server. > IIRC+AFAIK IdEngines uses freeradius underneath. If that's true you can do: openssl pkcs12 -in yourcert.pfx -out cert-with-key.pem –nodes to get your key and certificate in PEM format in one file. Then split cert-with-key.pem in to two files [e.g. duplicate the file and delete the bit you don't want from each with a text editor] - one file then has just your private key in it, one then has just your server-cert in it. Then add the root ca cert and any chaining certs to your server cert *in order* (server-cert first [top of file], then any chaining [in order], then root [bottom of file]) e.g. cat my-server.pem chain1.pem chain2.pem root.pem > combined.pem The combined.pem and your-key.pem should be the two files you need. Kind regards, James -- James J J Hooper Senior Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] PEAP cert signed by 3rd party CA
On 11 December 2012 21:59, Hurt,Trenton W. wrote: > What 3rd party CA’s are people using for their PEAP server side certificate? > I have previously used verisign because they have a specialized wlan radius > cert that included the correct EKU’s for server authentication, > 1.3.6.1.5.5.7.3.1. I cannot get the cert from verisign to work and I’m now > looking at possibly changing CA’s. My server requires the CSR be generated > from the actual server itself, and it requires a .pem file and a private key > file along with the private key passphrase when importing. Hi Trent, I just had a look at what US eduroam providing institutions are using. Results below. N.B. This was just a quick test, so the numbers are only approximate (also, this is obviously indicative of purchase-time choice, and so choices might be different if considered now). InCommon 34% Comodo 12% DigiCert 7.3% Thawte 7.3% VeriSign 4.9% GlobalSign 4.9% GeoTrust 4.9% CaCert.org 2.4% - Self-Signed: ~22% Kind regards, James -- James J J Hooper Senior Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] PEAP cert signed by 3rd party CA
InCommon Federation https://www.incommon.org/ On 12/11/2012 04:59 PM, Hurt,Trenton W. wrote: What 3^rd party CA’s are people using for their PEAP server side certificate? I have previously used verisign because they have a specialized wlan radius cert that included the correct EKU’s for server authentication, /1.3.6.1.5.5.7.3.1*. *I cannot get the cert from verisign to work and I’m now looking at possibly changing CA’s. My server requires the CSR be generated from the actual server itself, and it requires a .pem file and a private key file along with the private key passphrase when importing. / // / Any suggestions, tips, tricks on this process is immensely appreciated. / // /Thanks Trent/ ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] PEAP cert signed by 3rd party CA
I've used InCommon before with success. Have you tried just a normal VeriSign cert and not the specialized one? Sent from my Android phone using TouchDown (www.nitrodesk.com) -Original Message- From: Hurt,Trenton W. [trent.h...@louisville.edu] Received: Tuesday, 11 Dec 2012, 16:58 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] Subject: [WIRELESS-LAN] PEAP cert signed by 3rd party CA What 3rd party CA’s are people using for their PEAP server side certificate? I have previously used verisign because they have a specialized wlan radius cert that included the correct EKU’s for server authentication, 1.3.6.1.5.5.7.3.1. I cannot get the cert from verisign to work and I’m now looking at possibly changing CA’s. My server requires the CSR be generated from the actual server itself, and it requires a .pem file and a private key file along with the private key passphrase when importing. Any suggestions, tips, tricks on this process is immensely appreciated. Thanks Trent ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
