[c-nsp] EAP SSL certificates - how to?

Phil Mayers p.mayers at imperial.ac.uk
Sat Apr 19 06:47:33 EDT 2008 

matthew zeier wrote:
> GeoTrust is a well known root CA and I don't get prompts going to 
> websites signed by them.  I do, however, if I use the same cert for 
> RADIUS.  The error is "unknown trust setting".

The server certificate may be lacking certain X509 fields; for example, 
"openssl x509 -noout -text -in $cert.pem" for our cert, which works 
fine, says:

Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
             snip
         Signature Algorithm: sha1WithRSAEncryption
         Issuer: C=US,O=VeriSign...,CN=VeriSign Class 3 Secure Server CA
         Validity
             Not Before: Apr  2 00:00:00 2007 GMT
             Not After : May 17 23:59:59 2008 GMT
         Subject: snip
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
             RSA Public Key: (1024 bit)
                 Modulus (1024 bit):
                     snip
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
            X509v3 Basic Constraints:
             CA:FALSE
            X509v3 Key Usage:
             Digital Signature, Key Encipherment
            X509v3 CRL Distribution Points:
             URI:http://SVRSecure-crl.verisign.com/SVRSecure2005.crl

            X509v3 Certificate Policies:
            Policy: 2.16.840.1.113733.1.7.23.3
               CPS: https://www.verisign.com/rpa

            X509v3 Extended Key Usage:
             TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Authority Key Identifier: snip
            Authority Information Access:
               OCSP - URI:http://ocsp.verisign.com
               CA Issuers - snip
            1.3.6.1.5.5.7.1.12: snip
     Signature Algorithm: sha1WithRSAEncryption

Specifically:

           X509v3 Key Usage:
            Digital Signature, Key Encipherment
           X509v3 Extended Key Usage:
            TLS Web Server Authentication, TLS Web Client Authentication

...are important. We had problems with a previous "cheaper" CA which 
issues certs unsuitable for 802.1x, with some clients failing to trust 
the cert. We had to move to the Verisign product. I can't remember the 
*specific* details, but IIRC there is a specific Verisign product for 
802.1x certs.

Arguably a "safer" option is to issue a self-signed CA & server cert, 
which prevents someone going out and buying a cert from the same CA and 
impersonating your SSID, but that has the obvious deployment hassles of 
deploying the CA. If you choose to do that, and appropriate "ca.cnf" 
file for OpenSSL along with scripts to drive it lives in the FreeRadius 
2.0.3 source tarball.

More information about the cisco-nsp mailing list