_CertPrep_DEB

Certificates

We need to get FreeRADIUS to create some private and public keys to use for its RadSec connections. Create and install the certificates by doing the following (as root).

Change into the /etc/freeradius/certs directory
```
cd /etc/freeradius/certs
```
Edit the certificate generation properties in client.cnf, server.cnf, and ca.cnf as follows:
1. In the ca.cnf file:
  1. In the [ req ] section, add encrypt_key = no
  2. In the [CA_default] section, change the default_days from 60 to a higher number (this is how long the certificates you create will be valid for). When the certificates expire, you will have to recreate them.
  3. in the [ certificate_authority ] section, change all of the parameters to match those of your organisation. e.g.
    [certificate_authority] countryName = GB stateOrProvinceName = England localityName = Camford organizationName = Camford University emailAddress = support@camford.ac.uk commonName = "Camford University FR Certificate Authority"
2. In the server.cnf file:
  1. In the [ req ] section, add encrypt_key = no
  2. In the [CA_default] section, change the default_days from 60 to a higher number (this is how long the certificates you create will be valid for). When the certificates expire, you will have to recreate them.
  3. in the [ server ] section, change all of the parameters to match those of your organisation. e.g.
    [server] countryName = GB stateOrProvinceName = England localityName = Camford organizationName = Camford University emailAddress = support@camford.ac.uk commonName = "Camford University FR Server Certificate"
    When changing passwords in the [ req ] section of the server.cnf file, you must also update the private_key_password option in the FreeRADIUS mods-available/eap file with the same password.
    We recommend that you do not change these defaults.
3. In the client.cnf file:
  1. In the [ req ] section, add encrypt_key = no
  2. In the [CA_default] section, change the default_days from 60 to a higher number (this is how long the certificates you create will be valid for). When the certificates expire, you will have to recreate them.
  3. in the [ client ] section, change all of the parameters to match those of your organisation. e.g.
    [client] countryName = GB stateOrProvinceName = England localityName = Camford organizationName = Camford University emailAddress = support@camford.ac.uk commonName = "Camford University FR Client Certificate"
    All of the organisation parameters (countryName, localityName, etc) need to match in the three .cnf files but the commonName must be unique in each file)
Clear out any old certificates in the directory:
```
make destroycerts
```
Run the bootstrap script to generate the certificates
```
./bootstrap
```
Create a file that is the concatenation of the certificate and private key of the client.
```
openssl x509 -in client.crt > client.pem ; cat client.key >> client.pem
```
Because the above command was run as root, the keys and certificates created will not be readable by the FreeRADIUS user by default, and FreeRADIUS will not be able to start. To fix this, reset the group for the files:
```
chgrp freerad {client,server,ca,dh}*
```

RadSec

Next we need to configure RadSec. We do this by creating a file at /etc/radsec.conf with the following:

realm gss-eap {
	type = "TLS"
	cacertfile = "/etc/freeradius/certs/ca.pem"
	certfile = "/etc/freeradius/certs/client.pem"
	certkeyfile = "/etc/freeradius/certs/client.key"
	disable_hostname_check = yes
	server {
		hostname = "127.0.0.1"
		service = "2083"
		secret = "radsec"
	}
}

Dynamic Realm support

We need to tell your FreeRADIUS server to support dynamic lookup of realms.

Open /etc/freeradius/proxy.conf for editing:
1. Towards the top of the file is a stanza beginning "proxy server {". Find this.
2. Below this, add dynamic = yes, like so:
```
proxy server {
        dynamic = yes
```