Mike Richardson
92bcbd0e81
Added bits option
|
5 rokov pred | |
|---|---|---|
| .gitignore | 5 rokov pred | |
| README.md | 5 rokov pred | |
| cert_gen.py | 5 rokov pred | |
| certs.py | 5 rokov pred | |
| cli.py | 5 rokov pred | |
| requirements.txt | 5 rokov pred |
README.md
Code from https://utilities.govroam.uk/certs for generating eduroam/Govroam SSL certs.
These certs are specifically designed to work well with eduroam/Govroam and include all the features required to ensure that as many clients as possible are compatible.
This is the command line version, which can be installed locally and run securely (it's not advisable to use the website for production as Jisc can't guarantee the security of the information entered or returned).
Install
git clone http://gitlab.perpetual.name/doctor/certgencli.git CertGenCLI
cd CertGenCLI
Either install the python cryptography package
apt-get install python-cryptography
or
pip install -r requirements.txt
The latter doesn't appear to work too well on Debian.
Run
cli.py -c -s -l -o -ou -n -r -p -d
e.g. ./cli.py -d /tmp -n fred.site.com -cGB -sWales -lCardiff -oSomewhere -uSomething -pakjdslfasd
This will create all the necessary certificates in /tmp
rootca.pem server-cert.pem server-key.pem list.crl root-key.pem
RootCA
To be installed on the client, as a trusted Root Certificate. If using the CAT, upload this when creating a profile and set the "Name (CN) of Authentication Server" to idp.westeros.zz. It can be pushed out to clients via a policy, or downloaded in 'mobileconfig' files or published on a web site
Server Cert
To be installed on the RADIUS IdP. Put this, along with the Server Key below, on to your RADIUS server and configure as part of the EAP security. Do not install the above Root CA on the server.
Server Key
To be installed on the RADIUS IdP, as above.
CRL
Publish at the URL https://idp.westeros.zz/list.crl. It should be accessible by all clients. Whilst not necessary for clients to authenticate it reduces the risk of some clients rejecting the authentication.
RootCA Key
To be kept safe, along with the password used, and is required for any future server certificates, or to change the CRL
Notes
You can check the certificates by running:
openssl x509 -noout -text -in
which will work for rootca.pem and server-cert.pem
openssl rsa -in -check
which will work for server-key.pem and root-key.pem
openssl crl -noout -text -in
which will work for list.crl
The default password is 'something'.