Setup a CA and a self-signed certificate
2. Create the CSR and EXT files for our server certificate
Let’s create a server SSL certificate that we will sign with the root CA.
The EXT file will contain some certificate extension that are required by some applications. Modify according to your needs.
$DOMAIN.v3.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = eduroam.uni.ac.ma
DNS.2 = radius.uni.ac.maNow we genarate the server key and CSR, you can leave the email and challenge password emply.
openssl genrsa -out $DOMAIN.key 4096
openssl req -new -key $DOMAIN.key -out $DOMAIN.csr3. Sign the server certificate with our CA.
openssl x509 -req -days 390 -in $DOMAIN.csr -CA $CANAME.crt -CAkey $CANAME.key -out $DOMAIN.crt -CAcreateserial -sha256 -extfile $DOMAIN.v3.extTo check that the server certificate is correct, let’s run the command:
openssl x509 -in $DOMAIN.crt -noout -text | headIf you need dh generate with the following command
openssl dhparam -check -text -5 -out /etc/raddb/certs/dh 10244. Configure auto-renewal for the certificate
To make out life easier, let’s configure a cron to auto-renew the certificate. First, let’s write a script for the auto-renew command, let’s name it renew-$DOMAIN-cert.sh
#!/bin/bash
CANAME=MARWAN-CA
DOMAIN=radius.marwan.ma
cd /root/$CANAME
openssl x509 -req -days 390 -in $DOMAIN.csr -CA $CANAME.crt -CAkey $CANAME.key -out $DOMAIN.crt -CAcreateserial -sha256 -extfile $DOMAIN.v3.extAnd now we make it executable
chmod +x renew-$DOMAIN-cert.shThen we configure a cron to execute the script, I’ve chosen to run it every 3 months, but you can tune to your liking. We run the command crontab -e, and paste the following content.
46 13 * */3 * /root/$CANAME/renew-radius-cert.sh