1

Recently I've created a RADIUS server (Freeradius) that authenticate with Active Directory. I follow this link to create this server: Now, when I see the "server.cnf" file into /etc/raddb/cert , I just realized that the certification will be expired by next month. So, I am really worried because I don't have have any idea about how can I regenerate a new certificate. Also into the /etc/raddb/cert, there is several file like:

01.pem, ca.cnf,ca.key, client.cnf, index.txt, index.txt.old, random, serial, server.cnf, server.csr server.p12, xpextensions, bootstrap, ca.der, ca.pem, dh, index.txt.attr, Makefile, README, serial.old server.crt, server.key, server.pem

Now, I am a little confused, What exactly should I do to expand the expire date of this certificate?

radius.conf

prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib64/freeradius
pidfile = ${run_dir}/${name}.pid
user = radiusd
group = radiusd
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
        type = auth
        ipaddr = *
        port = 0
}
listen {
        ipaddr = *
        port = 0
        type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions     = yes
extended_expressions    = yes
log {
        syslog_facility = daemon
        stripped_names = no
        auth = no
        auth_badpass = no
        auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
        max_attributes = 200
        reject_delay = 1
        status_server = yes
}
proxy_requests  = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
        start_servers = 5
        max_servers = 32
        min_spare_servers = 3
        max_spare_servers = 10
        max_requests_per_server = 0
}

modules {
        $INCLUDE ${confdir}/modules/
        $INCLUDE eap.conf
}

instantiate {
        exec
        expr
        expiration
        logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/

/etc/raddb/cert/Server.cnf

[ ca ]

default_ca              = CA_default

[ CA_default ]

dir                     = ./

certs                   = $dir

crl_dir                 = $dir/crl

database                = $dir/index.txt

new_certs_dir           = $dir

certificate             = $dir/server.pem

serial                  = $dir/serial

crl                     = $dir/crl.pem

private_key             = $dir/server.key

RANDFILE                = $dir/.rand

name_opt                = ca_default

cert_opt                = ca_default

default_days            = 60

default_crl_days        = 30

default_md              = sha1

preserve                = no

policy                  = policy_match



[ policy_match ]

countryName             = match

stateOrProvinceName     = match

organizationName        = match

organizationalUnitName  = optional

commonName              = supplied

emailAddress            = optional



[ policy_anything ]

countryName             = optional

stateOrProvinceName     = optional

localityName            = optional

organizationName        = optional

organizationalUnitName  = optional

commonName              = supplied

emailAddress            = optional



[ req ]

prompt                  = no

distinguished_name      = server

default_bits            = 2048

input_password          = whatever

output_password         = whatever



[server]

countryName             = FR

stateOrProvinceName     = Radius

localityName            = Somewhere

organizationName        = Example Inc.

emailAddress            = admin@example.com

commonName              = "Example Server Certificate"
HBruijn
  • 72,524
  • 21
  • 127
  • 192
Debian
  • 51
  • 2
  • 5
  • You created it "recently" and it will expire "by next month"? This does not sound sensible. Are you using certificates at all? Please post your radius config file - I assume you are not even using any certiciate! – cornelinux Sep 17 '14 at 07:39
  • Yes, As I said, I installed that server around 1 months ago. Actually that's really bizarre. I'll send to you the radius.conf file. please let me know if you need any other files. – Debian Sep 17 '14 at 13:19
  • When I try to run "bootstrap" script or "make all", the end of running that return me this message (Just for 60 days): – Debian Sep 17 '14 at 17:19

1 Answers1

0

When I try to run "bootstrap" script or "make all", the end of running that return me this message (Just for 60 days): 

openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr  -key `grep output_password ca.cnf | 

sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config 

./server.cnf

Using configuration from ./server.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 1 (0x1)

        Validity

            Not Before: Sep 17 15:55:12 2014 GMT

            Not After : Nov 16 15:55:12 2014 GMT

        Subject:

            countryName               = FR

            stateOrProvinceName       = Radius

            organizationName          = Example Inc.

            commonName                = Example Server Certificate

            emailAddress              = admin@example.com

        X509v3 extensions:

            X509v3 Extended Key Usage: 

                TLS Web Server Authentication

Certificate is to be certified until Nov 16 15:55:12 2014 GMT (60 days)

ThoriumBR
  • 5,272
  • 2
  • 23
  • 34
Debian
  • 51
  • 2
  • 5