(RADIATOR) CA signed certificate for PEAP and TTLS
bshafer at du.edu
Fri Jan 25 15:29:56 CST 2008
I've just spent some time looking at various SSL web server certificates.
It appears to me, and I am no expert on the matter, but all of the
standard signed certificates from places like Thawte, Comodo, GoDaddy,
Verisign and etc. have EKU's with Server Authentication
(22.214.171.124.126.96.36.199.1). Which I *think* is the OID in question.
If which case nearly any CA signed certificate could work.
In fact, I've got one that is not currently in use. I'll give it a try
and see what happens.
Mike McCauley wrote:
> Hello Bob,
> On Friday 25 January 2008 01:20, Bob Shafer wrote:
>> Rather than using a self-signed certificate generated by the
>> mkcertificate.sh script DU would like to use one signed by a Certificate
>> Authority. After looking at the code in that script it appears that the
>> CA must add in the xpextentions to support the MS native supplicant.
>> I'm guessing this means that one needs a wireless lan friendly CA.
> Yes, thats correct.
> MS (and most other windows) supplicants require that the server cert have the
> 'Server Authentication' EKU set in it.
>> My two questions are these:
>> It appears that Verisign provides that service for IAS. Are these
>> certificates compatible with radiator for use with both PEAP and TTLS?
>> Are there any competing CA's that offer this service?
> I think most CAs do, but it may be hard to find out how to apply :-(
>> Bob Shafer
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3577 bytes
Desc: S/MIME Cryptographic Signature
More information about the radiator