Page Comparison

...

1. Change into the /etc/raddb/certs directory

   Code Block
   language bash linenumbers true
   cd /etc/raddb/certs

   
   

2. Edit the certificate generation properties in client.cnf, server.cnf, and ca.cnf as follows:

   1. In the ca.cnf file:
      1. In the [ req ] section, add encrypt_key = no

      2. In the [CA_default] section, change the default_days from 60 to a higher number (this is how long the certificates you create will be valid for). When the certificates expire, you will have to recreate them.

      3. in the [ certificate_authority ] section, change all of the parameters to match those of your organisation. e.g.

         Code Block
         linenumbers true
         [certificate_authority] countryName = GB stateOrProvinceName = England localityName = Camford organizationName = Camford University emailAddress = support@camford.ac.uk commonName = "Camford University FR Certificate Authority"

         
         

   2. In the server.cnf file:

      1. In the [ req ] section, add encrypt_key = no
      2. In the [CA_default] section, change the default_days from 60 to a higher number (this is how long the certificates you create will be valid for). When the certificates expire, you will have to recreate them.

      3. in the [ server ] section, change all of the parameters to match those of your organisation. e.g.

         Code Block
         linenumbers true
         [server] countryName = GB stateOrProvinceName = England localityName = Camford organizationName = Camford University emailAddress = support@camford.ac.uk commonName = "Camford University FR Server Certificate"

         
         

         Warning
         When changing passwords in the [ req ] section of the server.cnf file, you must also update the private_key_password option in the FreeRADIUS mods-available/eap file with the same password. We recommend that you do not change these defaults.

         
         

   3. In the client.cnf file:

      1. In the [ req ] section, add encrypt_key = no
      2. In the [CA_default] section, change the default_days from 60 to a higher number (this is how long the certificates you create will be valid for). When the certificates expire, you will have to recreate them.

      3. in the [ client ] section, change all of the parameters to match those of your organisation. e.g.

         Code Block
         linenumbers true
         [client] countryName = GB stateOrProvinceName = England localityName = Camford organizationName = Camford University emailAddress = support@camford.ac.uk commonName = "Camford University FR Client Certificate"

         
         

         Note
         All of the organisation parameters (countryName, localityName, etc) need to match in the three .cnf files but the commonName must be unique in each file)

         
         

3. Clear out any old certificates in the directory:

   Code Block
   language bash
   make destroycerts

   
   

4. Run the bootstrap script to generate the certificates

   Code Block
   language bash
   ./bootstrap

   
   

5. Create a file that is the concatenation of the certificate and private key of the client.

   1. Create the file

      Code Block
      language bash
      openssl x509 -in client.crt > client.pem ; cat client.key >> client.pem

      
      

   2. Verify that the client.pem file starts with "-----BEGIN CERTIFICATE-----".

   
   

6. Because the above command was run as root, the keys and certificates created will not be readable by the FreeRADIUS user by default, and FreeRADIUS will not be able to start. To fix this, reset the group for the files:

chgrp radiusd {client,server,ca,dh}*

...