Plateforme utilisée: linux centos 5.8, freeradius 2, openssl 0.9
Création des certificats pour la configuration de eap/tls
Les étapes sont les suivantes: * création du certificat de l’autorité racine, * création du certificat pour le serveur radius, * signature du certificat du serveur par l’autorité de certification, * configuration du fichier eap.conf dans freeradius.
Création de l’autorité de certification
Préparation des répertoires et fichiers
[root@centos certs]# mkdir private newcerts crl [root@centos certs]# echo '1001' > serial [root@centos certs]# touch index.txt
Configuration du fichier openssl.cnf
[root@centos certs]# vi /etc/pki/tls/openssl.cnf
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = /etc/raddb/certs # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha1 # which md to use.
preserve = no # keep passed DN ordering
[ req ]
default_bits = 1024
default_md = sha1
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = FR
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Paris
localityName = Locality Name (eg, city)
localityName_default = Paris
0.organizationName = Organization Name (eg, company)
0.organizationName_default = masociete
Création du certificat racine de l’autorité de certification
L’autorité a une durée de 10 ans. Le certificat de celle ci se trouve dans le fichier cacert.pem et la clé privée se trouve dans le fichier cakey.key
[root@centos certs]# openssl req -new -x509 -newkey rsa:2048 -days 3650 \
> -keyout ./private/cakey.pem -out cacert.pem \
> -config /etc/pki/tls/openssl.cnf
Generating a 2048 bit RSA private key
....+++
.................+++
writing new private key to './private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [FR]:
State or Province Name (full name) [Paris]:
Locality Name (eg, city) [Paris]:
Organization Name (eg, company) [masociete]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:centos.demo.com
Email Address []:
[root@centos certs]#
Affichage du certificat créé
[root@centos certs]# openssl x509 -in cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
99:64:60:68:6b:fe:2f:46
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=FR, ST=Paris, L=Paris, O=masociete, CN=AC
Validity
Not Before: May 29 12:46:59 2012 GMT
Not After : May 27 12:46:59 2022 GMT
Subject: C=FR, ST=Paris, L=Paris, O=masociete, CN=AC
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:ad:04:9c:df:56:ad:32:fa:ef:6e:ef:8c:26:e2:
fa:2b:f6:8b:68:e1:c4:f6:5c:ff:8e:6f:d4:8a:db:
29:de:1c:f9:cd:a6:b2:59:05:6b:ab:07:3e:6a:a0:
7b:aa:f2:2e:d3:79:89:3b:26:f1:e4:96:76:60:dc:
f7:c4:ca:54:ba:5a:cd:20:75:0d:a4:90:8a:b9:48:
21:c6:47:ae:9d:31:1b:ce:9b:63:c2:f0:68:ff:0f:
c4:1e:fb:19:39:4a:13:0b:86:1d:ff:41:5c:6e:4e:
38:3d:be:65:ef:6b:3f:2d:12:29:a1:d8:32:5d:bb:
7a:88:35:c9:74:82:9a:f9:c7:da:e3:d4:c3:25:83:
7d:01:82:19:1f:c6:6d:94:4b:c7:aa:75:9a:51:0f:
2a:1b:85:07:9f:01:fb:eb:e1:d4:23:25:7d:d3:a4:
d5:5c:1e:b1:15:40:1d:83:a9:21:61:92:e2:2e:8c:
8f:d0:81:b7:35:d2:4d:e5:20:e7:95:5a:fa:de:4e:
0b:b9:d5:80:00:27:a6:33:af:55:57:27:38:b8:53:
06:d6:8f:67:c1:e2:e5:6d:de:af:de:c9:a7:fc:c5:
b2:4a:f2:e9:34:50:f4:76:45:00:ba:f0:4d:f0:12:
f2:b7:6f:ab:20:97:90:cf:48:b6:1f:5b:b8:89:27:
f2:79
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
57:5B:51:08:8C:D3:78:38:8C:71:D4:09:9B:C2:EC:B6:55:F0:AD:31
X509v3 Authority Key Identifier:
keyid:57:5B:51:08:8C:D3:78:38:8C:71:D4:09:9B:C2:EC:B6:55:F0:AD:31
DirName:/C=FR/ST=Paris/L=Paris/O=masociete/CN=AC
serial:99:64:60:68:6B:FE:2F:46
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
97:95:49:70:4f:8b:3f:75:08:da:dd:bb:10:94:05:62:a1:e7:
65:9f:b5:ba:9a:8a:c8:e0:39:9a:54:1d:92:a6:ba:ba:7b:59:
45:17:fb:0f:0b:c5:7c:79:f7:c7:73:8c:f2:69:9f:00:44:de:
1f:fa:6f:ef:0b:ec:66:a5:33:90:63:e8:0a:eb:f4:bc:37:b7:
4c:a9:97:02:e1:a9:38:f8:f1:b7:4f:de:a3:65:83:01:b5:1d:
a7:55:24:07:9b:ac:91:8f:11:9c:3a:d3:cc:4e:0e:74:d9:fe:
21:17:18:46:13:3a:eb:d1:b0:b9:c5:95:3e:c5:00:70:57:f3:
ac:f7:71:7f:b7:0b:14:19:84:1d:6f:05:86:e8:07:b7:1e:17:
15:d9:f9:b4:d5:ef:88:6d:09:7f:fc:7a:8c:07:7a:56:17:95:
3e:20:f2:8d:aa:ee:6f:7b:ca:c6:26:48:26:35:73:b8:1c:69:
64:4d:ee:19:e1:84:be:d7:79:b1:9e:c5:a1:f2:42:71:2d:90:
58:0a:ca:88:cf:4b:dd:d2:8c:e7:70:40:cf:47:1b:b1:ed:3e:
10:32:4a:84:79:c3:26:b4:22:58:9d:08:e1:1e:da:d3:12:5d:
ab:0f:15:2d:d1:6e:1d:0d:10:5a:0e:7b:12:dd:5b:d2:75:90:
20:cb:22:5c
[root@centos certs]#
Conversion du certificat pour l’importation sous Windows
Si l’on souhaite vérifier le certificat du serveur avec l’utilisation d’eap/tls, ttls et peap, il faudra importer le certificat de l’autorité de certification sur la machine cliente.
Conversion du certificat pour l’installation sur une machine windows.
[root@centos certs]# openssl x509 -in cacert.pem -inform PEM -out cacert.der -outform DER
Création du certificat pour le serveur radius
Le cn correspond au nom du serveur (centos.demo.org) Il est possible d’émettre des certificats génériques pour toutes les machines d’un domaine. Le cn sera alors *.domaine.com.
[root@centos certs]# openssl req -new -nodes -out reqserver.pem -keyout private/server.key -config /etc/pki/tls/openssl.cnf
Generating a 1024 bit RSA private key
..........................++++++
.++++++
writing new private key to 'private/server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [FR]:
State or Province Name (full name) [Paris]:
Locality Name (eg, city) [Paris]:
Organization Name (eg, company) [masociete]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:centos.demo.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: passwordamodifier
An optional company name []:
[root@centos certs]#
Signature du certificat par l’autorité de certification
[root@centos certs]# openssl ca -out server.pem -config /etc/pki/tls/openssl.cnf \
> -infiles reqserver.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/raddb/certs/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4097 (0x1001)
Validity
Not Before: May 29 13:00:48 2012 GMT
Not After : May 27 13:00:48 2022 GMT
Subject:
countryName = FR
stateOrProvinceName = Paris
organizationName = masociete
commonName = centos.demo.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
00:1E:1C:0E:6B:6D:CA:D6:16:57:12:8A:71:5A:88:94:9F:1B:54:9C
X509v3 Authority Key Identifier:
keyid:57:5B:51:08:8C:D3:78:38:8C:71:D4:09:9B:C2:EC:B6:55:F0:AD:31
Certificate is to be certified until May 27 13:00:48 2022 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@centos certs]#
Configuration des certificats dans le fichier /etc/raddb/eap.conf
# Le mot de passe et le fichier de la clé privée du serveur radius
private_key_password = motdepasse
private_key_file = ${raddbdir}/certs/server.key
# Le certificat du serveur radius
certificate_file = ${raddbdir}/certs/server.pem
# Le certificat pour l'autorité de certification
CA_file = ${raddbdir}/certs/cacert.pem
Le fichier eap.conf (partie tls)
[root@centos certs]# vi /etc/raddb/eap.conf
tls {
private_key_password = motdepasse
private_key_file = ${raddbdir}/certs/server.key
# If Private key & Certificate are located in
# the same file, then private_key_file &
# certificate_file must contain the same file
# name.
certificate_file = ${raddbdir}/certs/server.pem
# Trusted Root CA list
CA_file = ${raddbdir}/certs/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
#
# This can never exceed the size of a RADIUS
# packet (4096 bytes), and is preferably half
# that, to accomodate other attributes in
# RADIUS packet. On most APs the MAX packet
# length is configured between 1500 - 1600
# In these cases, fragment size should be
# 1024 or less.
#
#
# fragment_size = 1024
# include_length is a flag which is
# by default set to yes If set to
# yes, Total Length of the message is
# included in EVERY packet we send.
# If set to no, Total Length of the
# message is included ONLY in the
# First packet of a fragment series.
#
# include_length = yes
# Check the Certificate Revocation List
#
# 1) Copy CA certificates and CRLs to same directory.
# 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
# 'c_rehash' is OpenSSL's command.
# 3) Add 'CA_path=<CA certs&CRLs directory>'
# to radiusd.conf's tls section.
# 4) uncomment the line below.
# 5) Restart radiusd
# check_crl = yes
#
# If check_cert_issuer is set, the value will
# be checked against the DN of the issuer in
# the client certificate. If the values do not
# match, the cerficate verification will fail,
# rejecting the user.
#
# check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
#
# If check_cert_cn is set, the value will
# be xlat'ed and checked against the CN
# in the client certificate. If the values
# do not match, the certificate verification
# will fail rejecting the user.
#
# This check is done only if the previous
# "check_cert_issuer" is not set, or if
# the check succeeds.
#
# check_cert_cn = %{User-Name}
#
# Set this option to specify the allowed
# TLS cipher suites. The format is listed
# in "man 1 ciphers".
# cipher_list = "DEFAULT"
}