Red Hat Training
A Red Hat training course is available for RHEL 8
17.4. 在 FreeRADIUS 服务器上,出于测试目的创建一组证书
出于测试目的,freeradius 软件包会在 /etc/raddb/certs/ 目录中安装脚本和配置文件,以创建自己的证书颁发机构(CA)并发布证书。
重要
如果您使用默认配置,这些脚本生成的证书会在 60 天后过期,密钥使用不安全的密码("whatever")。但是,您可以自定义 CA、服务器和客户端配置。
执行此流程后,会创建本文档稍后所需要的以下文件:
-
/etc/raddb/certs/ca.pem: CA 证书 -
/etc/raddb/certs/server.key: 服务器证书的私钥 -
/etc/raddb/certs/server.pem: 服务器证书 -
/etc/raddb/certs/client.key: 客户端证书的私钥 -
/etc/raddb/certs/client.pem: 客户端证书
前提条件
-
freeradius软件包已安装。
流程
进入
/etc/raddb/certs/目录:# cd /etc/raddb/certs/可选:自定义 CA 配置:
... [ req ] default_bits = 2048 input_password = ca_password output_password = ca_password ... [certificate_authority] countryName = US stateOrProvinceName = North Carolina localityName = Raleigh organizationName = Example Inc. emailAddress = admin@example.org commonName = "Example Certificate Authority" ...
可选:自定义服务器配置:
... [ CA_default ] default_days = 730 ... [ req ] distinguished_name = server default_bits = 2048 input_password = key_password output_password = key_password ... [server] countryName = US stateOrProvinceName = North Carolina localityName = Raleigh organizationName = Example Inc. emailAddress = admin@example.org commonName = "Example Server Certificate" ...
可选:自定义客户端配置:
... [ CA_default ] default_days = 365 ... [ req ] distinguished_name = client default_bits = 2048 input_password = password_on_private_key output_password = password_on_private_key ... [client] countryName = US stateOrProvinceName = North Carolina localityName = Raleigh organizationName = Example Inc. emailAddress = user@example.org commonName = user@example.org ...
创建证书:
# make all将
/etc/raddb/certs/server.pem文件中的组更改为radiusd:# chgrp radiusd /etc/raddb/certs/server.pem*
其他资源
-
/etc/raddb/certs/README.md