Security

Reply
Super Contributor II
Posts: 355
Registered: ‎02-22-2011

SSL Certificates

Hi All,

 

Have a quick question regarding certificate use in Amigopod.

 

I am about to apply to an external CA (Entrust) for a signed certificate. Can the same SSL certificate that is used for the web interface be used for the Radius server ID as well?

 

Scott

Moderator
Posts: 150
Registered: ‎11-14-2011

Re: SSL Certificates

Both the Web Server and RADIUS components of Amigopod can leverage the same server certificate from what I understand. The CSR generated by either component of Amigopod will include an x509 Extended Key Usage as shown in the example below:

 

Requested Extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication

 

The TLS Web Server Authentication is common across both the web server and RADIUS server so this should allow the same certiicate to be used for both functions.

 

You will need to be a bit careful in the process you use to create the CSR as this will determine where the private key is stored and the availability for it to be exported and hence imported back into the opposing component of Amigopod.

 

I would suggest working with the TAC on the procedure to make sure you don't have any problems whilst getting the CSR signed by Entrust.

 


Super Contributor II
Posts: 355
Registered: ‎02-22-2011

Re: SSL Certificates

Thanks Cam,

 

I spoke with the TAC and was able to deploy the same certificate to both functions by generaitng requests using openssl and this removing the private key from the control of amigopod. a little bit more work but its certainly worth the hassle.

 

Below is the process outlined by the TAC for anybody trying the same thing.

 

>>1) Generate a CSR + Private Key

>>Amigopod can not be used for this step because there a no options to

>>export the private key during any CSR creation page.  I used openssl

>>from MAC command line to generate the CSR and key.  Openssl will ask

>>the usual CSR options (Country, State, Common Name, etc) and will ask

>>for a private key passphrase.

>> 

>># openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout

>>privateKey.key

>> 

>>2) Get the CSR signed by your choice of CA.  For my testing, I signed

>>it by Amigopod's own certificate authority, MDPS.

>> 

>>3) Install the certificate for Amigopod Web SSL.  Administrator ->

>>Network Setup -> SSL Certificate.  Upload the signed certificate, any

>>intermediate certificates given by CA (concatenated into one file),

>>the root certificate, and the private key.  Enter the private key

>>passphrase defined in step 1.

>> 

>>4) Install the certificate for Amigopod EAP termination.  RADIUS ->

>>Authentication -> EAP & 802.1X -> Import Server Certificate.  Upload

>>the signed certificate, private key, and root certificate as done in step 3.

>>The only difference is that you will need to concatenate the

>>intermediate

>>certificate(s) and root certificate into one .pem file.

Search Airheads
Showing results for 
Search instead for 
Did you mean: