- Tehnična dokumentacija
- Izdelava začasnega certifikata EAP-TTLS za strežnik RADIUS
Izdelava začasnega certifikata EAP-TTLS za strežnik RADIUS
Ustvarite strukturo map in konfiguracijske datoteke
# echo "201310300900" > /etc/pki/CA/serial
# touch /etc/pki/CA/index.txt
# touch /etc/pki/CA/index.txt.attr
Namesto mape
/etc/pki/radius lahko seveda izberete katerokoli drugo mapo.
Z urejevalnikom popravite datoteko openssl.cnf
$ vi /etc/pki/radius/openssl.cnf
Nastavite naslednje vrednosti (nove vrednosti lahko vstavite z ukazom esc + i):
V razdelku
[ v3_ca ] nastavite vrednosti (izbrišite #):
keyUsage = cRLSign, keyCertSign
Na koncu datoteke dodajte še naslednje vrednosti:
[ ttls_server ]
crlDistributionPoints = URI:http://www.institut-jn.si/eduroam.crl
extendedKeyUsage = serverAuth
subjectAltName = IP:10.0.355.2, DNS:eduroam.institut-jn.si
[ ttls_client ]
extendedKeyUsage = clientAuth
OPOZORILO: IP in DNS prilagodite svoji organizaciji!
Ko boste nastavitve popravili, jih shranite z ukazom
:wq!
Ustvarite vrhnji certifikat (angl. CA certificate) in pripadajoči zasebni ključ
# openssl req -config /etc/pki/tls/openssl.cnf -new -x509 -sha256 -nodes -newkey rsa:4096 -keyout /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 2922 -subj "/C=SI/L=Novo Mesto/O=Institut Janeza Novaka/CN=Eduroam CA Institut Janeza Novaka"
# chmod o-rwx /etc/pki/CA/private/cakey.pem
# openssl x509 -in /etc/pki/CA/cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
a3:70:39:63:b8:2c:f1:10
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=SI, L=Novo Mesto, O=Institut Janeza Novaka, CN=Eduroam CA Institut Janeza Novaka
Validity
Not Before: Oct 30 11:42:49 2013 GMT
Not After : Oct 30 11:42:49 2021 GMT
Subject: C=SI, L=Novo Mesto, O=Institut Janeza Novaka, CN=Eduroam CA Institut Janeza Novaka
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:b2:93:d4:4b:64:c1:bd:b1:86:19:77:b0:11:21:
94:c3:f6:95:ad:6a:8b:1c:a9:eb:f1:f2:74:98:37:
e8:40:f3:a6:fc:92:5f:14:76:70:0f:32:6f:48:94:
7b:f9:91:ce:63:dc:a5:27:07:8c:57:df:83:14:c5:
e0:64:83:87:b3:56:18:ee:ad:6e:8c:cd:f0:b3:a7:
fb:f6:fc:27:b5:bd:7e:2e:0d:ac:a2:e6:0e:1a:18:
51:4e:88:bf:05:49:4e:db:dc:8e:b5:f8:a6:5d:ed:
83:66:d8:92:2e:5a:a9:7e:5d:81:55:84:a2:7a:40:
87:77:5c:31:53:8b:b6:34:bc:9c:4b:f9:11:a5:99:
fb:4e:50:b3:28:40:20:42:54:19:12:8c:53:6f:8f:
f7:a6:00:66:8e:32:0f:26:f0:ad:a5:87:3c:cb:09:
ea:69:ac:50:fb:bc:e6:5c:23:84:73:d5:17:cb:54:
e4:d0:c1:d2:93:af:10:56:9a:a3:b1:66:4e:ca:34:
ba:6a:8e:ac:00:23:79:65:14:01:7e:58:8f:18:75:
9d:82:f5:d2:22:90:97:99:5d:ad:d2:52:4e:03:ec:
fe:0e:63:6f:b1:0b:31:14:68:8f:c8:2c:b8:74:da:
34:b5:de:41:5e:13:c3:3d:59:9c:d8:5a:f3:4e:eb:
3d:47:77:83:4b:a8:4c:29:32:13:e1:fd:f1:36:8c:
49:19:37:ad:ca:14:78:65:97:a2:20:c6:6e:fc:2a:
6e:0c:a7:4a:e4:2f:c4:c1:de:06:37:83:21:9d:c3:
d1:05:d6:03:ad:79:b3:ae:47:d4:53:ea:3b:03:91:
9f:0d:0c:a5:72:4a:d0:39:71:17:0c:bc:82:97:d2:
4e:21:be:7c:2a:e2:31:76:1e:40:c0:c5:61:b7:b8:
4d:6e:0c:66:0a:77:3d:00:70:70:30:6a:e2:8c:3f:
42:73:97:1b:48:28:60:5f:80:ec:ba:cc:8f:a0:75:
f4:96:25:96:78:01:1d:3a:f5:a2:4d:71:2f:93:77:
70:af:9c:2f:f1:d2:42:e6:a5:36:d7:cb:15:11:2f:
bc:46:6f:b6:49:7c:ee:0a:fb:54:03:59:ed:65:f9:
41:51:e7:62:09:14:e6:fe:d8:70:86:67:e9:68:11:
7c:26:21:24:76:e1:05:11:08:7e:d3:71:f6:63:57:
f7:d8:d2:b9:85:f9:21:da:6b:16:44:d0:a4:dc:76:
75:34:e5:c7:56:ff:83:46:e5:1f:97:70:75:58:12:
2f:98:b0:68:5c:2f:b3:bb:91:e1:45:58:61:ea:2c:
58:17:46:fd:98:15:33:a2:e8:2d:ff:b1:fb:b5:55:
a8:33:6f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
52:82:D5:9B:E8:51:8E:40:68:E8:2F:F6:E9:63:7B:34:FF:65:3A:89
X509v3 Authority Key Identifier:
keyid:52:82:D5:9B:E8:51:8E:40:68:E8:2F:F6:E9:63:7B:34:FF:65:3A:89
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
Signature Algorithm: sha1WithRSAEncryption
88:5e:c4:d0:43:6e:7f:7b:e9:1c:ed:9a:bd:c5:1a:cd:f4:72:
c2:42:e2:f9:ba:c9:12:c8:b0:58:6a:46:a8:f9:77:f0:e1:1c:
fd:3d:0e:05:0b:c7:8e:02:e2:c4:38:4a:a2:a1:d4:b6:64:07:
ff:79:b1:51:5f:c1:fa:7c:db:81:64:b6:54:b0:e7:aa:70:64:
92:5f:6b:2c:4b:e7:f4:55:68:2e:db:af:ec:db:8d:dd:fa:31:
3b:82:ad:57:32:52:45:a5:25:32:c6:f6:63:16:10:75:cd:fe:
bc:c7:f7:52:c4:50:86:d1:54:c8:1b:b9:71:6e:21:0d:4a:e9:
1e:d2:86:67:02:01:cd:0f:bd:6b:0a:74:27:bb:8e:57:40:d2:
eb:d0:56:63:8f:33:b9:72:9e:94:00:3b:f9:da:d9:25:31:07:
be:f2:84:1b:9e:65:e7:c9:c8:35:ce:c4:f9:14:3b:1a:68:20:
e0:4c:4f:25:f1:15:bc:67:29:93:12:8d:9c:69:58:5c:0f:2c:
e4:e8:2e:90:cf:3d:04:96:a9:72:ea:31:98:34:62:e4:47:04:
62:07:c8:7c:1c:d1:67:7b:b6:ae:b7:06:3b:55:ba:e4:19:8b:
f1:6e:6f:10:91:85:58:46:4c:52:b4:b8:ec:dd:a2:6d:07:2f:
17:98:d6:31:40:04:dc:b6:5e:91:24:b2:98:a3:23:ee:22:51:
80:e5:1c:f3:3e:95:1c:65:a6:50:fe:36:b0:f1:c1:fb:ca:61:
82:33:d0:73:bf:7c:4e:93:aa:6a:7a:75:11:e8:e1:f7:ef:1d:
b6:2d:31:06:e1:e1:bd:7e:e0:1f:e2:ef:15:79:5a:8b:7e:23:
f3:03:94:08:2b:ea:5c:e2:84:41:37:9f:f8:20:92:7d:2d:0a:
d2:53:a7:cd:0b:de:74:8b:70:c5:3c:ee:1e:9b:36:fc:d9:24:
d9:d5:04:ed:a0:ca:f6:1e:90:83:c7:42:99:16:ae:c0:dc:e8:
db:72:f5:52:72:5c:c5:3c:e5:83:26:41:5a:a2:db:5a:1b:67:
c9:db:cc:8f:e1:4c:06:be:66:c3:be:23:a4:66:ac:b1:98:b2:
d9:04:52:8e:ff:50:e8:71:0b:a4:f8:fa:14:a0:c5:9a:f4:83:
25:5b:92:e3:42:0f:8d:0a:cf:96:d4:db:2b:1b:ba:e9:01:7f:
b5:88:75:a6:e6:61:31:d6:10:a7:14:08:33:0b:45:1d:b7:51:
57:9e:d1:02:d0:2b:0b:00:80:93:64:d2:e1:09:da:d2:39:e3:
7b:d3:d4:c6:22:5d:b1:c3:70:94:22:5a:9e:e0:28:af:ef:7f:
7f:3e:71:8e:43:cc:82:71
Ustvarite zahtevek za strežniški certifikat
# openssl req -sha256 -newkey rsa:4096 -nodes -config /etc/pki/tls/openssl.cnf -new -keyout /etc/pki/CA/private/server.domain.tld_key.pem -out /etc/pki/CA/private/server.domain.tld_req.pem -extensions ttls_server -days 1424 -subj "/O=Institut Janeza Novaka/CN=radius.institut-jn.si"
Generating a 4096 bit RSA private key
........................................++
..............................++
writing new private key to '/etc/pki/CA/private/server.domain.tld_key.pem'
-----
# chmod o-rwx /etc/pki/CA/private/server.domain.tld_key.pem
# openssl req -in /etc/pki/CA/private/server.domain.tld_req.pem -noout -text
Certificate Request:
Data:
Version: 0 (0x0)
Subject: O=Institut Janeza Novaka, CN=radius.institut-jn.si
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:cf:08:4a:0e:df:73:64:93:41:11:05:8b:79:40:
e0:89:f3:09:51:4d:32:a1:3c:19:94:f1:48:26:0e:
b7:fd:d7:7c:93:77:98:02:6e:f4:55:e5:6e:3f:53:
72:39:7c:5a:31:24:ff:1d:7f:57:6f:0b:1d:44:74:
0c:d6:56:d0:4d:72:5c:db:53:56:5f:8a:a1:41:7c:
7e:34:47:99:00:7c:6b:46:70:4a:ac:29:39:62:34:
a3:ff:77:27:57:8a:e9:c9:5d:de:44:09:32:8b:82:
74:76:d5:31:24:32:41:fb:88:ed:a4:ea:41:32:6f:
50:ca:a2:b7:06:b8:f7:97:aa:60:bf:6e:8a:b7:d6:
be:f2:87:61:4f:ed:f9:4d:74:1a:61:df:a6:ed:37:
3e:b9:71:9b:3c:0f:d2:a0:53:12:45:c5:02:52:f4:
e2:08:2d:8d:9d:49:a6:e3:9e:13:a3:5f:cd:31:98:
9e:cb:0a:53:9f:a2:f8:b9:99:4a:be:ad:6a:f9:f3:
4c:d5:1d:85:dd:10:71:af:9d:37:6f:c8:81:ec:d7:
b8:ae:3c:27:dc:88:09:54:c5:76:a9:ed:73:57:22:
21:66:e4:60:b1:38:11:01:ac:c9:0b:c1:ae:08:b0:
b9:f5:00:fb:4f:f4:5a:fd:57:f6:d0:c9:d5:a4:1b:
4f:f4:6b:13:f6:f4:01:22:5c:20:6f:e3:60:21:28:
70:51:da:5d:4c:b5:1a:b3:12:91:18:78:ab:82:b6:
07:9c:a4:53:15:ea:3d:4c:1e:c2:85:17:75:10:28:
95:24:e4:3d:a6:36:2f:2c:56:c9:51:46:64:3b:8c:
d8:40:51:3d:d4:14:d6:e1:27:b7:5a:01:1d:7b:5b:
a5:0e:00:b7:3f:54:51:a2:dc:ae:88:27:12:7d:ab:
02:53:f8:70:9d:5f:b2:83:28:d2:cc:b9:57:1f:28:
54:1d:88:7d:c5:88:82:c3:9f:e6:73:c2:4d:a7:3e:
af:1c:ae:99:70:39:9d:2c:dd:d4:6e:92:6e:3e:90:
e6:76:52:9e:67:24:27:30:e8:9c:d4:72:1f:8b:df:
f6:a5:61:a8:aa:57:df:37:d3:29:4a:4d:b0:db:d7:
cc:c5:50:a3:57:b8:f0:da:bc:3b:9b:24:aa:4d:f5:
f9:28:9f:45:3f:96:d7:4c:53:20:09:c4:73:7d:63:
ea:57:1d:68:b2:bd:85:4c:ba:43:8b:38:8f:b9:f0:
b9:53:3d:b3:b9:af:94:e3:6c:c0:64:d8:76:26:b7:
c2:76:bf:4e:dc:29:58:69:bd:e0:bf:36:11:04:59:
2c:67:01:a5:91:42:a4:dd:47:ba:03:6b:45:f6:35:
f0:28:b7
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
52:2d:7b:ed:44:93:61:09:66:ab:d9:ce:09:d7:58:1e:6d:11:
3c:70:04:4b:cf:7c:d3:1d:1a:7e:c2:64:c7:ef:39:3e:d0:0c:
23:50:a8:22:54:e3:81:8f:5e:a5:8f:3b:8b:39:61:7e:e0:7c:
7e:59:28:3f:e0:5e:10:da:72:4a:01:f4:1f:97:50:6d:3a:73:
24:84:a7:06:fe:bb:07:b4:e6:9a:df:1c:f0:6f:f0:ac:a0:01:
5c:dc:6f:78:ce:b5:44:59:0d:b4:15:ed:f2:a6:1c:2b:53:d8:
f4:da:db:ef:41:ac:3c:c2:0b:1a:e5:c6:c1:e8:1e:db:ea:2a:
16:e6:eb:e7:f8:76:08:32:be:41:21:19:d3:7f:f1:e6:d0:78:
4a:b8:7d:c7:f5:55:f3:21:72:69:e9:b5:6e:43:5e:7b:dd:b1:
e8:d5:51:e1:e8:04:41:bf:95:db:03:6f:bf:21:05:18:f9:ff:
b6:1f:61:7b:88:f6:b3:7e:72:57:9d:7d:6a:6c:74:a1:89:80:
85:51:73:ca:08:75:4d:73:81:62:9a:17:e4:ef:94:70:c3:0e:
eb:38:87:35:59:e3:ce:b8:d4:83:c9:7e:79:63:5a:0b:41:2b:
0d:30:e8:72:5e:33:73:2e:b8:a6:3e:15:55:b5:12:dd:41:bd:
ac:71:6c:bb:cd:67:11:15:9d:9a:7d:8e:e0:a4:3b:63:ef:8a:
2a:b7:92:85:49:de:0b:70:d1:39:89:c8:29:d2:1d:21:c4:29:
8f:50:7d:f3:cf:3a:3b:38:9e:77:e6:24:9d:01:f3:d0:1d:54:
75:60:eb:76:96:f3:8d:3a:17:60:5d:a3:d4:10:2a:a5:d0:e3:
0b:9e:b8:65:2d:69:1c:5e:6b:37:8e:06:b4:9f:11:ec:ff:d5:
ca:39:9e:06:07:2b:08:fd:88:6d:25:ab:a3:2b:d6:31:d0:67:
6c:eb:1e:74:7d:79:7f:8e:b0:6e:82:46:f2:c9:0c:34:cc:08:
11:cb:dc:1b:7e:2b:57:36:7b:2d:f6:64:2b:3d:1a:b2:17:05:
45:97:6a:c3:ba:93:66:29:a6:c4:f3:04:52:00:f0:1e:f9:98:
da:63:9a:0b:fc:1e:91:f3:17:1e:1a:b8:0c:d7:7c:f1:ea:48:
83:e7:d7:11:c3:a4:26:67:1f:06:f9:8c:fb:61:93:ab:8f:4f:
65:7d:4e:4c:a8:ee:cd:09:15:a4:55:0b:34:f4:f1:88:01:97:
fe:a2:66:37:92:b3:df:cc:bc:0e:6f:54:c2:96:2f:b6:3c:1a:
d0:ca:0c:08:53:28:16:05:51:a9:5f:dc:f9:bb:ac:e9:92:a7:
a7:9a:7b:02:ff:94:73:46
Zahtevek podpišemo in dobimo strežniški certifikat
# openssl ca -config /etc/pki/tls/openssl.cnf -extensions ttls_server -policy policy_anything -in /etc/pki/CA/private/server.domain.tld_req.pem -out /tmp/server.domain.tld_cert.pem
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
20:13:10:30:09:00
Validity
Not Before: Oct 30 12:37:23 2013 GMT
Not After : Oct 30 12:37:23 2014 GMT
Subject:
organizationName = Institut Janeza Novaka
commonName = radius.institut-jn.si
X509v3 extensions:
X509v3 CRL Distribution Points:
Full Name:
URI:http://www.institut-jn.si/eduroam.crl
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
IP Address:10.0.355.2, DNS:eduroam.institut-jn.si
Certificate is to be certified until Oct 30 12:37:23 2014 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Po želji prevedite v format Windows
# openssl x509 -in /etc/pki/CA/cacert.pem -outform DER -out /etc/pki/CA/cacert.crt
# openssl x509 -in /tmp/server.domain.tld_cert.pem -outform DER -out /tmp/server.domain.tld_cert.crt
Ustvarite DH parametre za FreeRADIUS
# openssl dhparam -check -text -5 2048 -out /etc/raddb/certs/dh
Generating DH parameters, 2048 bit long safe prime, generator 5
This is going to take a long time
.......................................................................................+....................+...............+
...............................................+........................................+..+...........+......+..........+...
............................+......+...+..........+...+.................+.+..+.............................................+.
....................................................................+...................+....................................
......+.......+..........+.......................................+.....+...+...........+...........................+.........
............................................+...............+.................+.......+......+.......................+.......
...............................+.............+...........................+.......................+......+..+......+...+......
.......+............................+.....+..............................................+.................+.+..........+....
...................+...+.....................................+.......................+...................+...............+...
........+.....................+.................................+..........+.....................................+...........
.............+................+......................+..........................................+....+..........+............
..+..+...............................................+...........+....+...............+....+.........+.......................
..........+.........+.......+..................................................+........+..+.................................
.................................................+..............................................+.....+......................
.....................................+........................+..........................+............................+......
...................+...+...........................+......................+..........+.......................................
...................................................................................................+.......+.................
..............................+.......................+..............................+................+......................
..................................+............................................+......................+......................
.................+...+..........+............................................+........+................+.....................
........++*++*++*++*++*++*
DH parameters appear to be ok.
Uredite uporabniške pravice
# chmod 600 cakey.pem && chown root:root cakey.pem
# chmod 640 server.domain.tld_key.pem && chown root:radiusd server.domain.tld_key.pem
