(RADIATOR) CA signed certificate for PEAP and TTLS

Bob Shafer bshafer at du.edu
Sat Jan 26 03:19:07 CST 2008

That worked.  At least on my very limited test.  I'll see if I can try 
it with a larger population next week.

In this case it was a Comodo signed certificate.  But, as I said, my 
somewhat cursory survey of web server certificates seems to indicate 
that most of the CA signed certificate include the required Extended Key 
Usage OID.

Here is a bit of information others might find useful.

One can check this out by connecting to an SSL web site with a browser 
(Firefox in my case) and examining the certificate detail.  You'll find 
"Extended Key Usage" under the general heading of "Extensions"

Or it is possible to use openssl to display the certificate contents. 
For example, on the test server cert OSC provides:

openssl x509 -in cert-srv.pem -noout -text

This causes a lot of information to be displayed. In particular it shows:

         X509v3 extensions:
             X509v3 Extended Key Usage:
             TLS Web Server Authentication

I hope that helps.


Mike McCauley wrote:
> Hi Bob,
> On Saturday 26 January 2008 07:29, Bob Shafer wrote:
>> I've just spent some time looking at various SSL web server certificates.
>> It appears to me, and I am no expert on the matter, but all of the
>> standard signed certificates from places like Thawte, Comodo, GoDaddy,
>> Verisign and etc. have EKU's with Server Authentication
>> (  Which I *think* is the OID in question.
> Yes, thats the one you want.
>> If which case nearly any CA signed certificate could work.
>> In fact, I've got one that is not currently in use.  I'll give it a try
>> and see what happens.
> OK.
> Cheers.
>> Bob
>> Mike McCauley wrote:
>>> Hello Bob,
>>> On Friday 25 January 2008 01:20, Bob Shafer wrote:
>>>> Rather than using a self-signed certificate generated by the
>>>> mkcertificate.sh script DU would like to use one signed by a Certificate
>>>> Authority.  After looking at the code in that script it appears that the
>>>> CA must add in the xpextentions to support the MS native supplicant.
>>>> I'm guessing this means that one needs a wireless lan friendly CA.
>>> Yes, thats correct.
>>> MS (and most other windows) supplicants require that the server cert have
>>> the 'Server Authentication' EKU set in it.
>>>> My two questions are these:
>>>> It appears that Verisign provides that service for IAS.  Are these
>>>> certificates compatible with radiator for use with both PEAP and TTLS?
>>> Yes.
>>>> Are there any competing CA's that offer this service?
>>> I think most CAs do, but it may be hard to find out how to apply :-(
>>> Cheers.
>>>> Thanks,
>>>> Bob Shafer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3577 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://www.open.com.au/pipermail/radiator/attachments/20080126/dad9ac93/attachment.bin>

More information about the radiator mailing list