Changes between Version 71 and Version 72 of WikiStart


Ignore:
Timestamp:
Jun 25, 2013, 1:48:38 PM (11 years ago)
Author:
walter
Comment:

ca.pem ca.cer

Legend:

Unmodified
Added
Removed
Modified

  • WikiStart

    v71 v72  
    12081208===== 2.1bb Freeradius TTLS/PEAP certificates =====
    12091209
    1210 During install of freeradius, certificates are probably auto generated see "/etc/freeradius/certs" folder. These are needed for the eduroam idP part to allow local authentication of the @wleiden.net realm. However these certificates are made with a common/default credentials like "Freeradius CA etc" but they can also be made again/customized "My Certificate CA etc" by running the ./bootstrap command and editing the *.cnf (ca, client, server)files to fit your institution/identity. See /usr/share/doc/freeradius/examples/certs/. Probably there is still some parameter in on of the *cnf file that is common between the ca client and server, therefor is also writes the private key into the public certificate?
     1210During install of freeradius, certificates are probably auto generated see "/etc/freeradius/certs" folder. These are needed for the eduroam idP part to allow local authentication of the users we created with a "@wleiden.net" realm. However these certificates are made with a common/default credentials like "Freeradius CA etc" but they can also be customized "Wireless Leiden CA department et " by editing the *.cnf (ca, client, server)files and running the ./bootstrap command. See /usr/share/doc/freeradius/examples/certs/. Probably there is still some parameter in one of the *.cnf file that is common between the ca client and server, therefor it also writes the private key into the public certificate?
    12111211
    12121212* Bootstrap will probably not run for a second time so move/delete all other files excepts these: bootstrap ca.cnf client.cnf README server.cnf xpextensions.
     
    12141214* Warning the *.pem file we will deploy among users needs to be stripped of bag attributes and PRIVATEKEY!!!!
    12151215
    1216 The server.pem file is the one that needs to be distributed/deployed among the eduroam users to correctly setup their supplicants for safely logging in, for Mac and Linux. For Mac it will work, only for validating the origin of the certificate itself (red* mark) since we didn't use/bought a known verified root CA like verizon/thawte/etc we need to supply that one our self in our case "ca.pem" file. Than the Mac operating systems thinks everything is fine and the red mark about a certificate from a possible unknown provide will be gone.
    1217 This "root" "ca.pem" needs to be converted by Mac OSX to "ca.cer" to be usable by Windows XP-8, since windows only allows Root (dutch=basis) certificates to match its radius supplicant. Double click the ca.cer file and import it into the ROOT store! Than you will be able to select it!
     1216 *Mac/Linux
     1217The "server.pem" file is the one that needs to be distributed/deployed among the eduroam users to correctly setup their supplicants for safely logging in, for Mac and Linux. For Mac it works, only validating the origin of the certificate !ITSELF! gives a warning (red* mark), since we didn't use/bought a known verified root CA so Mac OSX cannot Validate the "WirelessLeiden CA department" with the certificates it already has from verizon/thawte/etc. We can buy a certificate or we need to supply our own ROOT CA in our case "ca.pem" file. Than the Mac operating systems thinks everything is fine and the red mark about a certificate from a possible unknown provider will be gone.
     1218
     1219 *Windows
     1220After importing this "root" "ca.pem" it can be easily converted by Mac OSX to "ca.cer" to be usable by Windows XP-8, since windows systems only allows Root (dutch=basis) certificates "ca.cer" to match its radius supplicant instead of "server.pem". In Windows double click the ca.cer file and import it into the ROOT store! Than you will be able to select it in the PEAP / supplicant option when you setup the eduroam window in network settings!
     1221
     1222Convert a DER file (.crt .cer .der) to PEM
     1223openssl x509 -inform der -in certificate.cer -out certificate.pem
     1224
     1225Convert a PEM file to DER
     1226openssl x509 -outform der -in certificate.pem -out certificate.der
    12181227
    12191228{{{