Production Certificates

Once the initial EAP testing has been performed, it is time to create the real certificates to use in your production network. These certificates will be configured on the end hosts that will be doing PEAP, TTLS, or EAP-TLS authentication.

The FreeRADIUS certificate configuration files are located in /etc/raddb/certs/*.cnf. Most of the contents of those files can be ignored, as they configure various OpenSSL parameters. Some fields (highlighted in bold below) should be edited to meet your local requirements.

ca.cnf

...
[ req ]
prompt = no
distinguished_name = certificate_authority
default_bits = 2048
input_password = whatever
output_password = whatever
x509_extensions = v3_ca

[certificate_authority]
countryName = FR
stateOrProvinceName = Radius
localityName = Somewhere
organizationName = Example Inc.
emailAddress = admin@example.com
commonName = "Example Certificate Authority"
...

server.cnf

...
[ req ] prompt = no
distinguished_name = server
default_bits = 2048
input_password = whatever
output_password = whatever

[server] countryName = FR
stateOrProvinceName = Radius
localityName = Somewhere
organizationName = Example Inc.
emailAddress = admin@example.com
commonName = "Example Server Certificate"
...

You need to edit client.cnf only if you are using EAP-TLS. If not, then that file can be left as-is.

Once the ca.cnf and server.cnf files have been edited, re-create the CA and Server certificates as before in the EAP howto. This process will destroy any existing certificates, so you should make a backup of this directory before continuing.

$ cd /etc/raddb/certs
$ make

Depending on the version of FreeRADIUS, the output may be make: Nothing to be done for `all'. In that case, you will have to remove some files manually, and then re-create the certificates:

$ rm -f *csr *key
$ make

Otherwise, you should see OpenSSL creating the keys and certificates, as shown below:

openssl req -new -x509 -keyout ca.key -out ca.pem -config ./ca.cnf Generating a 2048 bit RSA private key
...................................................
etc.

Once the new certificates have been generated, re-start the server in debugging mode, and repeat the tests given in the EAP howto. That is, leave the Validate Server Certificate box (or equivalent) un-checked, and try to login using the same username and password as in the PAP howto.

If the authentication succeeds (and it should, if the EAP howto succeeded), then you can proceed to the next step, importing the root CA onto the client machines.

Client Certificates

Creating a client certificate is similar to the above steps. Just edit client.cnf, and set the appropriate fields in the [client] section at the bottom of the file. Save the file, and run the following command:

$ make client

It will create a new client certificate in client.pem. This certificate can be imported into a client, and used for EAP-TLS authentication.

You can create a second client certificate by repeating the above steps. Be sure to use different values for the fields emailAddress and commonName. OpenSSL creates unique certificates for each client, and will complain if you try to create two different certificates which share those fields.