Skip to main content

Generating Certificates for Windows Clients

1. Generate a Self-Signed CA Certificate​

To generate a self-signed CA certificate (recommended for RADIUS deployments), open the CA configuration file:

nano /etc/freeradius/3.0/certs/ca.cnf

Modify CA Configuration​

  1. In the CA_default section, increase the number of days so that the certificate will be valid for a long time (10 years in this case):
default_days = 3650
  1. In the req section, change the input_password and output_password from their default values:
input_password = tj367tHXVK
output_password = tj367tHXVK
  1. In the certificate_authority section, enter your organization’s information:
countryName = US
stateOrProvinceName = FL
localityName = Miami
organizationName = NPO Systems
emailAddress = admin@nposystems.com
commonName = "NPO Certificate Authority"
  1. Save and exit.

Generate CA Certificates​

  1. Run the following commands to generate CA certificates:
make ca.pem
make ca.der

2. Generate Server Certificate​

Follow the same procedure to generate a server certificate:

nano /etc/freeradius/3.0/certs/server.cnf

Modify Server Configuration​

  1. Modify the server.cnf file:
default_days = 3650

input_password = tj367tHXVK
output_password = tj367tHXVK

[server]
countryName = US
stateOrProvinceName = FL
localityName = Miami
organizationName = NPO Systems
emailAddress = admin@nposystems.com
commonName = "NPO Systems Server Certificate"

  1. Ensure the commonName is different from the one entered in ca.cnf.

  2. Save and exit.

Generate Server Certificate​

  1. Run the following command:
make server.pem

3. Set Correct Ownership for Certificates​

Ensure the generated files have the correct ownership:

chown freerad:freerad /etc/freeradius/3.0/certs/*

4. Update EAP Configuration​

  1. Add the paths of the newly generated certificates in the EAP configuration file:
nano /etc/freeradius/3.0/mods-enabled/eap
  1. Modify the tls-config tls-common section by adding the following values:
private_key_password = tj367tHXVK
private_key_file = /etc/freeradius/3.0/certs/server.pem
certificate_file = /etc/freeradius/3.0/certs/server.pem
ca_file = /etc/freeradius/3.0/certs/ca.pem
  1. Save and exit.

5. Restart FreeRADIUS Service​

Restart the FreeRADIUS service to apply changes:

systemctl restart freeradius