Generation of server certificates with OpenSSL and a Winbugs CA

Posted November 28th, 2007 by hector

Generation of certificates for FreeRadius (EAP-TLS) with a CA on a Winbugs box

When generating certificates to be used by FreeRadius with EAP-TLS, there is an extension which is to be added to the certificate in order to validate this certificate. This validation is performed by the client against a root CA certificate. If such extension is not present in your FreeRadius server certificate, the auth process will fail, because the client won't be able to validate it and stop communicating with your server. If you happen to have your CA running in a Winbugs box, then this might be of help. We are going to generate a request using openssl and issue the certificate with winbugs with the extension needed embeded into the cert file.

First of all, in the computer where you are going to generate the request, edit your openssl.cnf file and do the following modifications:

Find the v3_req stanza and change the following line:

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

for this one

keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment

and add the following line at the end of this stanza

extendedKeyUsage = 1.3.6.1.5.5.7.3.1

This will generate a request containing all needed attributes/extensions to be validated by the clients.

Your v3_req stanza should look like the following:

[ v3_req ]
 # Extensions to add to a certificate request
 basicConstraints = CA:FALSE
 keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
 extendedKeyUsage = 1.3.6.1.5.5.7.3.1

Bear in mind that you are modifying openssl's configuration file. That means that all future requests will have these attributes set. If you don't want all future request to be a server authentication request, comment the last line out from the v3_req stanza.

Now generate your request using openssl

openssl req -new -keyout server.key -out server.req

This generates two files. One where your private key is contained and another one with your actual request. OpenSSL will ask you for a pass phrase. The passphrase you enter here is important. Without it you won't be able to decode your private key.

Our CA is on a Win2k3 server. We need to send our request to the CA by using the Microsoft Certificate Services. Open your favorite browser, and type in http://your_server/certsrv/ and select "Request a certificate" and submit an "advanced certificate request" by using the base-64-encoded option.

Once the page is open, copy the contents of your server.req file and press submit. Then you just need to wait for your CA to issue the certificate for you.

If you need your certificate in PEM format and the certificate was exported as DER encoded there is a final step you have to perform. 

openssl x509 -inform DER -in certificate.cer -outform PEM -out certificate.pem

If the certificate is Base-64 encoded and you need the PEM extension, then just rename the file. 

mv certificate.cer certificate.pem
‹ Generation of computer certificates with a Winbugs CAupeap.conf ›