February 28, 2014

PEAP certificates, signing requirements and examples


There are only minor differences between standard SSL certificates used by secure web sites and those
used with PEAP on 802.1x wireless networks.

With PEAP the SID of the network, rather than your organizations domain must match the common name
(cn) of the certificate.  Additionally an EKU (Enhanced Key Usage) for Server Authentication (OID
1.3.6.1.5.5.7.3.1) must be specified when creating your public certificate or signing request.

[ PEAP ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
extendedKeyUsage = 1.3.6.1.5.5.7.3.1

[ clientAuth ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2

[ serverAuth ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1


In these examples we will use the OpenSSL utility to create a Certificate Signing Request (CSR) used with a third party certificate authority such as Verisign or Thawte.  We will also generate a ‘self-signed’ certificate that does not require a certificate authority but does require users to first accept your certificate as valid on a one time basis depending on the supplicant and its configuration.


Example creating a certificate signing request for a certificate authority
openssl req -new -nodes -keyout private.pem -out public.csr -extensions PEAP -config openssl.cnf

The output file public.csr is processed by your certificate authority (CA), which will return a signed
certificate file to you.  Combine private.pem with the certificate returned from the CA into a single file.  This file becomes the  ‘PEAP Certificate’ file.  You will likely also need the CA’s certificate chain file if one is required.  This file becomes the ‘PEAP CA Certificate’.


Example creating a ‘self-signed’ certificate

openssl req -new -x509 -key private.pem -out public.pem -extensions PEAP -config openssl.cnf -days 5000

No comments:

Post a Comment