To use a RADIUS server for secure wlan authentication the RADIUS server needs a server authentication certificate as well as a the associated Trusted Root Certificate. This procedure will create a Trusted Root CA as well as a self signed server certificate to user for radius authentication.

Wireless clients will not have a the trusted root for this certificate installed and therefore will not be required to validate the certificate. The certificate is still required by RADIUS to process EAP transactions.

Create the Root CA chain

Use the CA perl script to create a root CA as well as a CA chain

  • Run command CA -newca
  • the directory ../../CA will be created
  • the Root CA cert is../../CA/cacert.pem
  • the Root CA cert private key is ../../CA/private/cakey..pem

Copy openssl.cnf to the ../../CA directory, remame it to openssl.cust.cnf and modify it as follows:

[ CA_default ] dir = . # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no # Set to 'no' to allow creation of

  • # several ctificates with same subject.

new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number

  • # must be commented out to leave a V1 CRL

crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extensions to add to the cert # Comment out the following two lines for the "traditional" # (and highly broken) format. name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options

Use openssl to create a certificate signing request (CSR) for the server certificate

  • openssl req -config openssl.cust.cnf -new -nodes -keyout private/wlanserv.key -out wlanserv.csr -days 365
  • The csr file is wlanserv.csr
  • This command will create a private key called wlanserv.key in /private/
  • The cert will be good for 1 year

Use openssl to create the certificate with the Root CA certificate as the signer. This will make the certificate usable for server authentication

  • openssl ca -config openssl.cust.cnf -policy policy_anything -out certs/wlanserv.crt -infiles wlanserv.csr
  • The certificate is created in the /certs/ directory called wlanserv.crt

Combined the server certificate and the private key into one file

  • cat certs/wlanserv.crt private/wlanserv.key > private/wlansec.pem

Verify the server certificate is valid for server authentication

  • openssl verify -purpose sslserver -CAfile /etc/CA/cacert.pem /etc/CA/private/wlansec.pem

Get information about the certificate with the following commands:

  • openssl x509 -subject -issuer -enddate -noout -in /etc/CA/private/wlansec.pem
  • openssl x509 -in /etc/CA/private/wlansec.pem -noout -text