projects / freeradius.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0064c92)
Added notes on self-signed certificates
authoraland <aland>
Thu, 10 Jan 2008 10:15:12 +0000 (10:15 +0000)
committeraland <aland>
Thu, 10 Jan 2008 10:15:12 +0000 (10:15 +0000)
raddb/certs/README patch | blob | history
raddb/eap.conf patch | blob | history

diff --git a/raddb/certs/README b/raddb/certs/README
index 2173e42..685fbdb 100644 (file)
--- a/raddb/certs/README
+++ b/raddb/certs/README
@@ -4,22 +4,32 @@ To make a set of default (i.e. test) certificates, simply type:
 $ ./bootstrap
 
   The "openssl" command will be run against the sample configuration
-files included here, and will make certificates for a certificate
-authority (i.e. root CA), and a server certificate.
+files included here, and will make a self-signed certificate authority
+(i.e. root CA), and a server certificate.  This "root CA" should be
+installed on any client machine needing to do EAP-TLS, PEAP, or
+EAP-TTLS.
 
   The Microsoft "XP Extensions" will be automatically included in the
 server certificate.  Without those extensions Windows clients will
 refuse to authenticate to FreeRADIUS.
 
+  In general, you should use self-signed certificates for 802.1x (EAP)
+authentication.  When you list root CAs from other organizations in
+the "CA_file", you permit them to masquerade as you, to authenticate
+your users, and to issue client certificates for EAP-TLS.
+
   If FreeRADIUS was configured to use OpenSSL, then simply starting
-the server in root in debugging mode will also create test
+the server in root in debugging mode should also create test
 certificates, i.e.:
 
 $ radiusd -X
 
   That will cause the EAP-TLS module to run the "bootstrap" script in
 this directory.  The script will be executed only once, the first time
-the server has been installed on a particular machine.
+the server has been installed on a particular machine.  This bootstrap
+script SHOULD be run on installation of any pre-built binary package
+for your OS.  In any case, the script will ensure that it is not run
+twice, and that it does not over-write any existing certificates.
 
   If you already have CA and server certificates, rename (or delete)
 this directory, and create a new "certs" directory containing your
diff --git a/raddb/eap.conf b/raddb/eap.conf
index 90d8677..0b0c0a3 100644 (file)
--- a/raddb/eap.conf
+++ b/raddb/eap.conf
@@ -151,6 +151,14 @@
                        certificate_file = ${certdir}/server.pem
 
                        #  Trusted Root CA list
+                       #
+                       #  ALL of the CA's in this list will be trusted
+                       #  to issue client certificates for authentication.
+                       #
+                       #  In general, you should use self-signed
+                       #  certificates for 802.1x (EAP) authentication.
+                       #  In that case, this CA file should contain
+                       #  *one* CA certificate.
                        CA_file = ${cadir}/ca.pem
 
                        #
Unnamed repository; edit this file 'description' to name the repository.