17.4. 在 FreeRADIUS 服务器上,出于测试目的创建一组证书

出于测试目的,freeradius 软件包会在 /etc/raddb/certs/ 目录中安装脚本和配置文件,以创建自己的证书颁发机构(CA)并发布证书。

重要

如果您使用默认配置,这些脚本生成的证书会在 60 天后过期,密钥使用不安全的密码("whatever")。但是,您可以自定义 CA、服务器和客户端配置。

执行此流程后,会创建本文档稍后所需要的以下文件:

  • /etc/raddb/certs/ca.pem: CA 证书
  • /etc/raddb/certs/server.key: 服务器证书的私钥
  • /etc/raddb/certs/server.pem: 服务器证书
  • /etc/raddb/certs/client.key: 客户端证书的私钥
  • /etc/raddb/certs/client.pem: 客户端证书

先决条件

  • freeradius 软件包已安装。

步骤

  1. 进到 /etc/raddb/certs/ 目录:

    # cd /etc/raddb/certs/
  2. 可选:在 /etc/raddb/certs/ca.cnf 文件中自定义 CA 配置:

    ...
    [ req ]
    default_bits            = 2048
    input_password          = ca_password
    output_password         = ca_password
    ...
    [certificate_authority]
    countryName             = US
    stateOrProvinceName     = North Carolina
    localityName            = Raleigh
    organizationName        = Example Inc.
    emailAddress            = admin@example.org
    commonName              = "Example Certificate Authority"
    ...
  3. 可选:在 /etc/raddb/certs/server.cnf 文件中自定义服务器配置:

    ...
    [ CA_default ]
    default_days            = 730
    ...
    [ req ]
    distinguished_name      = server
    default_bits            = 2048
    input_password          = key_password
    output_password         = key_password
    ...
    [server]
    countryName             = US
    stateOrProvinceName     = North Carolina
    localityName            = Raleigh
    organizationName        = Example Inc.
    emailAddress            = admin@example.org
    commonName              = "Example Server Certificate"
    ...
  4. 可选:在 /etc/raddb/certs/client.cnf 文件中自定义客户端配置:

    ...
    [ CA_default ]
    default_days            = 365
    ...
    [ req ]
    distinguished_name      = client
    default_bits            = 2048
    input_password          = password_on_private_key
    output_password         = password_on_private_key
    ...
    [client]
    countryName             = US
    stateOrProvinceName     = North Carolina
    localityName            = Raleigh
    organizationName        = Example Inc.
    emailAddress            = user@example.org
    commonName              = user@example.org
    ...
  5. 创建证书:

    # make all
  6. /etc/raddb/certs/server.pem 文件中的组更改为 radiusd

    # chgrp radiusd /etc/raddb/certs/server.pem

其他资源

  • /etc/raddb/certs/README.md