(RADIATOR) CA signed certificate for PEAP and TTLS
Bob Shafer
bshafer at du.edu
Fri Jan 25 15:29:56 CST 2008
I've just spent some time looking at various SSL web server certificates.
It appears to me, and I am no expert on the matter, but all of the
standard signed certificates from places like Thawte, Comodo, GoDaddy,
Verisign and etc. have EKU's with Server Authentication
(1.3.6.1.5.5.7.3.1). Which I *think* is the OID in question.
If which case nearly any CA signed certificate could work.
In fact, I've got one that is not currently in use. I'll give it a try
and see what happens.
Bob
Mike McCauley wrote:
> Hello Bob,
>
> On Friday 25 January 2008 01:20, Bob Shafer wrote:
>> Rather than using a self-signed certificate generated by the
>> mkcertificate.sh script DU would like to use one signed by a Certificate
>> Authority. After looking at the code in that script it appears that the
>> CA must add in the xpextentions to support the MS native supplicant.
>>
>> I'm guessing this means that one needs a wireless lan friendly CA.
>
> Yes, thats correct.
> MS (and most other windows) supplicants require that the server cert have the
> 'Server Authentication' EKU set in it.
>
>> My two questions are these:
>>
>> It appears that Verisign provides that service for IAS. Are these
>> certificates compatible with radiator for use with both PEAP and TTLS?
>
> Yes.
>
>> Are there any competing CA's that offer this service?
>
> I think most CAs do, but it may be hard to find out how to apply :-(
>
> Cheers.
>
>
>> Thanks,
>>
>> Bob Shafer
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3577 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://www.open.com.au/pipermail/radiator/attachments/20080125/9c353215/attachment.bin>
More information about the radiator
mailing list