$ ./bootstrap
The "openssl" command will be run against the sample configuration
-files included here, and will make certificates for a certificate
-authority (i.e. root CA), and a server certificate.
+files included here, and will make a self-signed certificate authority
+(i.e. root CA), and a server certificate. This "root CA" should be
+installed on any client machine needing to do EAP-TLS, PEAP, or
+EAP-TTLS.
The Microsoft "XP Extensions" will be automatically included in the
server certificate. Without those extensions Windows clients will
refuse to authenticate to FreeRADIUS.
+ In general, you should use self-signed certificates for 802.1x (EAP)
+authentication. When you list root CAs from other organizations in
+the "CA_file", you permit them to masquerade as you, to authenticate
+your users, and to issue client certificates for EAP-TLS.
+
If FreeRADIUS was configured to use OpenSSL, then simply starting
-the server in root in debugging mode will also create test
+the server in root in debugging mode should also create test
certificates, i.e.:
$ radiusd -X
That will cause the EAP-TLS module to run the "bootstrap" script in
this directory. The script will be executed only once, the first time
-the server has been installed on a particular machine.
+the server has been installed on a particular machine. This bootstrap
+script SHOULD be run on installation of any pre-built binary package
+for your OS. In any case, the script will ensure that it is not run
+twice, and that it does not over-write any existing certificates.
If you already have CA and server certificates, rename (or delete)
this directory, and create a new "certs" directory containing your