From 24590d2c68506768bd7a7e13ed09526e5d29a358 Mon Sep 17 00:00:00 2001 From: aland Date: Thu, 10 Jan 2008 10:15:12 +0000 Subject: [PATCH] Added notes on self-signed certificates --- raddb/certs/README | 18 ++++++++++++++---- raddb/eap.conf | 8 ++++++++ 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/raddb/certs/README b/raddb/certs/README index 2173e42..685fbdb 100644 --- a/raddb/certs/README +++ b/raddb/certs/README @@ -4,22 +4,32 @@ To make a set of default (i.e. test) certificates, simply type: $ ./bootstrap The "openssl" command will be run against the sample configuration -files included here, and will make certificates for a certificate -authority (i.e. root CA), and a server certificate. +files included here, and will make a self-signed certificate authority +(i.e. root CA), and a server certificate. This "root CA" should be +installed on any client machine needing to do EAP-TLS, PEAP, or +EAP-TTLS. The Microsoft "XP Extensions" will be automatically included in the server certificate. Without those extensions Windows clients will refuse to authenticate to FreeRADIUS. + In general, you should use self-signed certificates for 802.1x (EAP) +authentication. When you list root CAs from other organizations in +the "CA_file", you permit them to masquerade as you, to authenticate +your users, and to issue client certificates for EAP-TLS. + If FreeRADIUS was configured to use OpenSSL, then simply starting -the server in root in debugging mode will also create test +the server in root in debugging mode should also create test certificates, i.e.: $ radiusd -X That will cause the EAP-TLS module to run the "bootstrap" script in this directory. The script will be executed only once, the first time -the server has been installed on a particular machine. +the server has been installed on a particular machine. This bootstrap +script SHOULD be run on installation of any pre-built binary package +for your OS. In any case, the script will ensure that it is not run +twice, and that it does not over-write any existing certificates. If you already have CA and server certificates, rename (or delete) this directory, and create a new "certs" directory containing your diff --git a/raddb/eap.conf b/raddb/eap.conf index 90d8677..0b0c0a3 100644 --- a/raddb/eap.conf +++ b/raddb/eap.conf @@ -151,6 +151,14 @@ certificate_file = ${certdir}/server.pem # Trusted Root CA list + # + # ALL of the CA's in this list will be trusted + # to issue client certificates for authentication. + # + # In general, you should use self-signed + # certificates for 802.1x (EAP) authentication. + # In that case, this CA file should contain + # *one* CA certificate. CA_file = ${cadir}/ca.pem # -- 2.1.4