Cisco 4402 Configuration Guide - Page 56

C. Installing a certificate for FreeRADIUS To order and obtain a certificate with the help of UNINETT's SCS service, see http://forskningsnett.uninett.no/scs/hvordan.html. This also describes how to generate the RADIUS server's private key (CSR), using openssl. The private key must be submitted via UNINETT's SCS service and forms the basis for issuing a certificate. When this has been completed, the certificate must be installed on the RADIUS server. FreeRADIUS requires the entire certificate chain to be included in the final certificate. In effect the certificate will consist of three parts: first the private key you have generated, then the certificate issued by TERENA and finally the certificate issued by Comodo UserTrust. The combined certificate is saved as "somethingorother.pem" It is then placed in the location specified in the RADIUS configuration, often in /etc/FreeRADIUS/cert/. Below is an example of how such a certificate may appear (this is not a real certificate, as this could naturally not be published) ----BEGIN RSA PRIVATE KEY----- U1NMIENBMB4XDTEwMDUxMjAwMDAwMFoXDTEzMDUxMTIzNTk1OVowQzELMAkGA1UE BhMCTk8xEzARBgNVBAoTClVOSU5FVFQgQVMxHzAdBgNVBAMTFnJhZGl1cy10ZXN0 LnVuaW5ldHQubm8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4tn70 LINUb9IahTiM2wccb1QbVLvBwk9f4wDOGQUO9H/euWi9PBqwyK+0gjdn28GR/dSR WvuSpfnLnR6e3wEDAgMBAAGjggFpMIIBZTAfBgNVHSMEGDAWgBQMvZNoDPPeq6NJ ays3V0fqkOO57TAdBgNVHQ4EFgQUJ0EwdzpCfPlnZlCh6dEq/Lsd73MwDgYDVR0P -----END RSA PRIVATE KEY----- Private key -----BEGIN CERTIFICATE----AQUFBwMCMBgGA1UdIAQRMA8wDQYLKwYBBAGyMQECAh0wOgYDVR0fBDMwMTAvoC2g K4YpaHR0cDovL2NybC50Y3MudGVyZW5hLm9yZy9URVJFTkFTU0xDQS5jcmwwbQYI ....... U1NMIENBMB4XDTEwMDUxMjAwMDAwMFoXDTEzMDUxMTIzNTk1OVowQzELMAkGA1UE BhMCTk8xEzARBgNVBAoTClVOSU5FVFQgQVMxHzAdBgNVBAMTFnJhZGl1cy10ZXN0 LnVuaW5ldHQubm8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4tn70 -----END CERTIFICATE----- Certificate issued by TERENA -----BEGIN CERTIFICATE----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw+NIxC9cwcupmf0booNd ij2tOtDipEMfTQ7+NSUwpWkbxOjlwY9UfuFqoppcXN49/ALOlrhfj4NbzGBAkPjk tjolnF8UUeyx56+eUKExVccCvaxSin81joL6hK0V/qJ/gxA6VVOULAEWdJRUYyij ays3V0fqkOO57TAdBgNVHQ4EFgQUJ0EwdzpCfPlnZlCh6dEq/Lsd73MwDgYDVR0P AQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG AQUFBwMCMBgGA1UdIAQRMA8wDQYLKwYBBAGyMQECAh0wOgYDVR0fBDMwMTAvoC2g -----END CERTIFICATE----- Certificate issued by Comodo UserTrust If you wish to verify the authenticity of the partial certificates from TERENA or Comodo, you must divide these into separate files (for example "partcertificate.pem") and then run the command: openssl x509 -noout -text -in partcertificate.pem The following is an example of the output obtained when this command was run for a TERENA partial certificate valid for the server called "radius-test.uninett.no": 56