I want to purchase commercial SSL certificates for freeRadius server (over linux) to use for PEAP 802.1X Authentication for Windows Clients.
Does anyone know if there is anything in particular that I have to look in the certificate to use it with radius? As far as I have read, a standard SSL certificate should work.
Thanks!
No a standard SSL certificate won't generally work. It needs to have some very specific OIDs for use with Windows clients. See /etc/raddb/certs/xpextensions for the specific OIDs you need.
Many CAs will include these automatically if you specify you're using the certs for 802.1X.
Related
I have a question regarding signing with SSL. I need to sign an application (.exe) written in Delphi. At the same time I also want to sign an Internet Portal with which the application communicate. My question is: does signing services generally provide also the certificate for the application either the certificate for the site? Can you sign the application with the same certificate or do you need another certificate? Can you sign multiple applications with the same certificate?
Thanks in advance.
Alberto
You need 2 certificates: One for code signing (that is, signing the .exe) and one for SSL (for the website).
You can not sign the application using the same cert as your are using for SSL.
You can sign as many applications with your code signing certificate as you like.
You may or may not use the SSL cert for multiple hosts (e.g.: blog.domain.com, www.domain.com, chat.domina.com, static.domain.com...), this depends on the type of certificate you are using.
Also: Please note that you can get free SSL certificates (e.g.: LetsEncrypt provides them, and azure website can use free "managed" certs from microsoft.). However, to my knowledge, there are no free code signing certificates.
I got a few e-mails yesterday warning me that some of my WHM self-assigned SSL certificates are going to expire. I did not setup the WHM originally, but according to their documentation self-assigned certificates are usually created during the WHM installation.
Services that need a new certificate:
cPanel/WHM/Webmail Service
Exim (SMTP) Server
Dovecot Mail Server
FTP Server
All on the same domain (which is our main domain that we use to access whm).
All current services have self-assigned certificates. I don't know the point of having a self-assigned certificates if they create browser errors anyway.
So I guess I have 2 questions:
Are there any issues that could arise from resetting the current certificates?
Do I have to have a certificate at all? Our main domain (that has all these certificates) doesn't use SSL.
I'm afraid I don't have experience of WHM, but I do have experience with ssl certificates, so hopefully this will be helpful anyway.
If there are any existing clients who have been using the services over SSL, they will have already been accepting the existing self-signed certificates, so they should be able to accept the new ones. Whether this will happen automatically probably depends on the client.
You say your main domain doesn't use ssl. However, are you just talking about a website? Are there, for example, email clients which are talking to your Exim server using secure SMTP or to dovecot using secure IMAP for example? If so, then they'd need the server to provide an ssl certificate (and they may need to accept the new self-signed certificate).
Self-signed certificates will cause browser security exceptions that need to be accepted by users and they don't provide a guarantee of identity in the same way that 'proper' certificates do, but at least they enable encryption to be used for communication.
I don't know if someone is familiar with Tivoli Directory Server (ldap) but I guess there is something more or less the same in every ldap software.
So, there is a setting for ssl authentication which can be serverClientAuth and serverAuth. With serverAuth it is sufficient for the server to provide the certificate and the client (jxplorer) just accepts it to connect. With serverClientAuth except from the certificate provided by the server also the client needs to have its certificate on the server.
In my setup I have the serverClientAuth setting. So I was wondering if it is possible for jxplorer to provide the client certificate to the ldap server.
Any thoughts are welcome. Thanks.
Yes it is possible, and there is a menu provided specifically for that purpose, which lets you define they KeyStore, truststore, and various other SSL things.
I run an nginx-powered application and I recently turned my attention to using it over https. This is the module in nginx that does this: http://wiki.nginx.org/HttpSslModule
However, I'm somewhat unclear about what is actually required to run a site over https.
What else is there to do to serve my site over ssl? What is the role of the certificate, and is it a requirement that I purchase it from somewhere?
You need a certificate to prove to your user that the server they're connected to is indeed the one intended (and not a MITM attacker).
If your server is to be used by a limited number of users to whom you could give a certificate explicitly, you could use a self-signed certificate or create your own certification authority (CA).
Otherwise, if you want your certificate to be recognised by most browsers, you'll need to get one from a commercial CA.
You should find more details in this answer. You may also be interested in this.
I need to enable SSL on my website.
Q1> What should I do to enable this service?
Q2> Should I change my code (i.e. PHP+JavaScript+MySQL )?
Thank you
Q1> you need to generate a certificate signing request and send it to a trusted certificate authority to be signed, usually for a fee. I use SSL.com regularly because they give me responsive customer support. After they sign the certificate, they will it send back to you or you can download it. Then you install the signed certificate on your server.
If you are running Windows, try http://www.ssltools.com/manager for a tool that generates the csr.
Q2> you can configure it in the server settings, but you can also programmatically implement it in your code. For instance, if you want to open sockets in your code, or if you want SSL on certain pages (although modern servers allow selective SSL implementation in the settings).