How i make ssl-ca

[rallep71]

Hello, can you show me how make

ssl-ca=/mysql-certs/ca.crt ssl-cert=/mysql-certs/mysql.acme.com.crt ssl-key=/mysql-certs/mysql.acme.com.pem

ca_file = "/etc/raddb/ca.crt" certificate_file = "/etc/raddb/rad_client.crt" private_key_file = "/etc/raddb/rad_client.pem"

https://carloalbertoscola.it/2019/network/security/linux/freeradius-3-setup-mysql-eap-ttls/

Thx

[bestrocker221]

Hi! You can use my script to generate your own CA and server, client certs from here:

• https://github.com/bestrocker221/serverstuff/blob/master/manage_ca.sh

The steps are:

./manage_ca.sh build-ca
./manage_ca.sh server-cert <CN>
./manage_ca.sh client-cert <name>

you will find:

• ca.crt under ca/pki/ca.crt
• server key and crt under server/
• client key and crt under client-configs/keys/

Let me know if it solves the problem!

:)

[bestrocker221]

When using build-ca the only required input is the algorithm (rsa or ec) and the password (at least of length 4).

Depending on the type of algorithm, the default for rsa is 2048 bits and it takes much longer than the ecc (I always suggest to use ecc if you don't have special compatibility requirements).

[rallep71]

i start the script and the output alpine:~# ./manage_ca.sh build_ca ./manage_ca [build-ca] [server-cert ] [client-cert ] ?

ok, one issue ive found "./manage_ca.sh build_ca" must be "./manage_ca.sh build-ca"

[bestrocker221]

Yes, sorry, I misspelt in the comment above, but when you run it, it tells you the possible commands which are:

• build-ca
• server-cert
• client-cert

I just tested it on a clean alpine container and it works (it uses /bin/bash but it is sh compatible, no problems)

[rallep71]

Sorry, i do not understand,

alpine:~# ./manage_ca.sh client-cert test.mysql.server.box Creating a new server certificate for domain: test.mysql.server.box ./manage_ca.sh: line 138: easyrsa: command not found cp: cannot stat 'pki/private/test.mysql.server.box.key': No such file or directory Signing certificate by CA ./manage_ca.sh: line 141: easyrsa: command not found cp: cannot stat 'pki/issued/test.mysql.server.box.crt': No such file or directory crt and key in client-configs/keys

[bestrocker221]

Try again: https://github.com/bestrocker221/serverstuff/blob/master/manage_ca.sh

By the way:

• what version of alpine are you using?
• which shell?

[rallep71]

i use in alpine linux ash as shell, what do you mean with "what version"?

it's a great project what you're doing. i want to rebuild it, whether directly in a linux system or as a docker-composer. if i should have it running the next consideration would be to write users via php into the database, that would be faster than in a shell.

[bestrocker221]

Thank you for the support! anyway this works as a base, you can always integrate your own DB and then have the logic you prefer to add/administer it (phpmyadmin, shell, mysqlworkbench, webUI)

I'll look into the permission issue and I'll get back to you, try to be fast but I am a bit busy these week

[mperu99]

@bestrocker221 i am trying to get freeradius 3.0.21 on debian 4.19.160-2 (2020-11-28) x86_64 GNU/Linux to allow me to authenticate a AD domain account on a windows laptop to a Soniwall AP device, which the AP would be considered a NAS (Client) if i understand this correctly. the so that AP and freeradius are doing EAP??? i think then freeradius will go to the AD (windows server) to ask for domain user is valid and respond back to freeradius , who then in turns tells the AP , yes this windows domain user is valid with that valid password, let them connect and get an IP. so from now on, everytime that staff member boots up and wifi will autoconnect and already knows its credentials and therefore no need to enter them again, so user can access resources.

I can seem to make samba work for NTLM from freeradius to AD and i can see responses on freeradius from the AP , but I think i am missing certs on the AP and the windows client , will your script work for what i need , WPA2-PSK athentications to AP, AP-via EAP to freeradius, freeradius is joined to domain , freeradius MSCHAP to AD .... maybe im all backwards, i am very very green (NEW) to this.

[bestrocker221]

hi @mperu99 ! The setup as it is right now is using MySQL for authenticating the users, but it can be plugged into AD with MSCHAP as you say, but that needs to be configured in the FreeRadius config file. (will try to add it when I got time to test it!) After that, yes, you should configure the AP to use the freeradius IP. That means the clients connecting to wifi will send the creds to the AP, the AP will use MSCHAP towards the AD.

[bestrocker221]

@rallep71 sorry for late response, in order to use the script I mentioned you need to have easy-rsa installed in the system :)