$ ./bootstrap
The "openssl" command will be run against the sample configuration
-files included here, and will make certificates for a certificate
-authority (i.e. root CA), and a server certificate.
+files included here, and will make a self-signed certificate authority
+(i.e. root CA), and a server certificate. This "root CA" should be
+installed on any client machine needing to do EAP-TLS, PEAP, or
+EAP-TTLS.
The Microsoft "XP Extensions" will be automatically included in the
server certificate. Without those extensions Windows clients will
refuse to authenticate to FreeRADIUS.
+ In general, you should use self-signed certificates for 802.1x (EAP)
+authentication. When you list root CAs from other organizations in
+the "CA_file", you permit them to masquerade as you, to authenticate
+your users, and to issue client certificates for EAP-TLS.
+
If FreeRADIUS was configured to use OpenSSL, then simply starting
-the server in root in debugging mode will also create test
+the server in root in debugging mode should also create test
certificates, i.e.:
$ radiusd -X
That will cause the EAP-TLS module to run the "bootstrap" script in
this directory. The script will be executed only once, the first time
-the server has been installed on a particular machine.
+the server has been installed on a particular machine. This bootstrap
+script SHOULD be run on installation of any pre-built binary package
+for your OS. In any case, the script will ensure that it is not run
+twice, and that it does not over-write any existing certificates.
If you already have CA and server certificates, rename (or delete)
this directory, and create a new "certs" directory containing your
certificate_file = ${certdir}/server.pem
# Trusted Root CA list
+ #
+ # ALL of the CA's in this list will be trusted
+ # to issue client certificates for authentication.
+ #
+ # In general, you should use self-signed
+ # certificates for 802.1x (EAP) authentication.
+ # In that case, this CA file should contain
+ # *one* CA certificate.
CA_file = ${cadir}/ca.pem
#