(RADIATOR) CA signed certificate for PEAP and TTLS

Bob Shafer bshafer at du.edu
Fri Jan 25 15:29:56 CST 2008

I've just spent some time looking at various SSL web server certificates.

It appears to me, and I am no expert on the matter, but all of the 
standard signed certificates from places like Thawte, Comodo, GoDaddy, 
Verisign and etc. have EKU's with Server Authentication 
(  Which I *think* is the OID in question.

If which case nearly any CA signed certificate could work.

In fact, I've got one that is not currently in use.  I'll give it a try 
and see what happens.


Mike McCauley wrote:
> Hello Bob,
> On Friday 25 January 2008 01:20, Bob Shafer wrote:
>> Rather than using a self-signed certificate generated by the
>> mkcertificate.sh script DU would like to use one signed by a Certificate
>> Authority.  After looking at the code in that script it appears that the
>> CA must add in the xpextentions to support the MS native supplicant.
>> I'm guessing this means that one needs a wireless lan friendly CA.
> Yes, thats correct.
> MS (and most other windows) supplicants require that the server cert have the 
> 'Server Authentication' EKU set in it.
>> My two questions are these:
>> It appears that Verisign provides that service for IAS.  Are these
>> certificates compatible with radiator for use with both PEAP and TTLS?
> Yes.
>> Are there any competing CA's that offer this service?
> I think most CAs do, but it may be hard to find out how to apply :-(
> Cheers.
>> Thanks,
>> Bob Shafer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3577 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://www.open.com.au/pipermail/radiator/attachments/20080125/9c353215/attachment.bin>

More information about the radiator mailing list