0

I am helping my school IT set up a RADIUS authentication system using PEAP/EAP-TTLS. We are able to achieve successful connection with the user devices, but the users need to accept a "Not trusted" self-signed certificate.

I am considering using the free LetsEncrypt to generate such a certificate. However, LetsEncrypt uses domain validation, which is not possible at this moment. I have a personal website that uses LetsEncrypt.

I copied the fullchain.pem, privkey.pem and cert.pem, and import all of them(privkey.pem failed to get imported). We are using a Windows 7 system, and is using TekRadius as server. Although the fullchain and cert are imported successfully, I can only see the client-authentication cert in the dropdown list. I need Server-Authentication to contain the cert so that I can add it to the users.

Pardon my limited knowledge as I am basically trying out possibilities without fully understanding the technology(I am helping my IT department due to my technical knowledge, though it is not my main job to set up network).

Is it even possible to "recycle" my valid personal certificate to be used in the RADIUS server?

Standstill
  • 103
  • 1
  • 3

1 Answers1

1

Is it even possible to "recycle" my valid personal certificate to be used in the RADIUS server?

A certificate is valid only for the domains listed in the certificate. Since your private domain is likely not the domain of the radius server you cannot reuse your certificate there. Apart from that it is a bad idea to give your secret key to the school, since this is what you would need to do in order to use your existing certificate on their radius server. But see Use Let’s Encrypt Certificates with FreeRADIUS how you could proceed.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Yes I have read that link you provided. In fact, I followed the instructions, except that the instructions were for FreeRadius while I am using Windows TekRADIUS. I imported the fullchain.pem and privkey.pem(failed) and TekRADIUS could not detect the server certificate. I understood that the idea is bad, but it's one idea I come across in my mind, the other was just to let the users trust a "Not trusted" certificate. – Standstill Sep 22 '19 at 08:49
  • @Standstill: Specific configuration problems of servers are on-topic at https://serverfault.se and and off-topic here. They also need a detailed description of what you exactly did (*"... except that the instructions were for FreeRadius while I am using Windows TekRADIUS"* is not sufficient) and what errors you exactly got (just *"failed"* and *"could not detect"* are not sufficient). Apart from that your original question was answered and follow-ups should not be asked in the comments, even if slightly related. – Steffen Ullrich Sep 22 '19 at 09:11