Skip to end of metadata
Go to start of metadata

Certificates

We need to get FreeRADIUS to create some private and public keys to use for its RadSec connections. Create and install the certificates by doing the following (as root).

  1. Change into the /etc/freeradius/certs directory

    $ cd /etc/freeradius/certs
  2. Edit the certificate generation properties in client.cnfserver.cnf, and ca.cnf as follows:

    1. In the ca.cnf file:
      1. In the [ req ] section, add encrypt_key = no
      2. In the [CA_default] section, change the default_days from 60 to a higher number (this is how long the certificates you create will be valid for). When the certificates expire, you will have to recreate them.

      3. in the [ certificate_authority ] section, change all of the parameters to match those of your organisation. e.g.

        [certificate_authority]
        countryName             = GB
        stateOrProvinceName     = England
        localityName            = Camford
        organizationName        = Camford University
        emailAddress            = support@camford.ac.uk
        commonName              = "Camford University FR Certificate Authority"
    2. In the server.cnf file:

      1. In the [ req ] section, add encrypt_key = no
      2. In the [CA_default] section, change the default_days from 60 to a higher number (this is how long the certificates you create will be valid for). When the certificates expire, you will have to recreate them.
      3. in the [ server ] section, change all of the parameters to match those of your organisation. e.g.

        [server]
        countryName             = GB
        stateOrProvinceName     = England
        localityName            = Camford
        organizationName        = Camford University
        emailAddress            = support@camford.ac.uk
        commonName              = "Camford University FR Server Certificate"

        When changing passwords in the [ req ] section of the server.cnf file, you must also update the private_key_password option in the FreeRADIUS mods-available/eap file with the same password.

        We recommend that you do not change these defaults.

    3. In the client.cnf file:

      1. In the [ req ] section, add encrypt_key = no
      2. In the [CA_default] section, change the default_days from 60 to a higher number (this is how long the certificates you create will be valid for). When the certificates expire, you will have to recreate them.
      3. in the [ client ] section, change all of the parameters to match those of your organisation. e.g.

        [client]
        countryName             = GB
        stateOrProvinceName     = England
        localityName            = Camford
        organizationName        = Camford University
        emailAddress            = support@camford.ac.uk
        commonName              = "Camford University FR Client Certificate"
        All of the organisation parameters (countryName, localityName, etc) need to match in the three .cnf files but the commonName must be unique in each file)
  3. Clear out any old certificates in the directory:

    $ make destroycerts
  4. Run the bootstrap script to generate the certificates

    $ ./bootstrap
  5. Create a file that is the concatenation of the certificate and private key of the client.

    1. Create the file

      $ openssl x509 -in client.crt > client.pem ; cat client.key >> client.pem
    2. Verify that the client.pem file starts with "-----BEGIN CERTIFICATE-----".

     

  6. Because the above command was run as root, the keys and certificates created will not be readable by the FreeRADIUS user by default, and FreeRADIUS will not be able to start. To fix this, reset the group for the files:

    $ chgrp freerad {client,server,ca,dh}*
  • No labels