Creating the Client and Server Keys

Now that we've got our CA all set up, we need to issue key pairs for the server and all of our clients. Start by creating a new key pair:

~/CA $ openssl req -new -config ./openssl.cnf -keyout server_key.pem \
-out server_req.pem
Generating a 2048 bit RSA private key
.......+++
.................................+++
writing new private key to 'server_key.pem'
Enter PEM pass phrase: pA55w0rD
Verifying - Enter PEM pass phrase: pA55w0rD
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [The Great State You Live In]:
Locality Name (eg, city) [My Town USA]:
Organization Name (eg, company) [SmallNetBuilder]:
Organizational Unit Name (eg, section) [Security Division]:
Common Name (eg, YOUR name) []: server
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Now sign the key with our newly created CA:

~/CA $ openssl ca -config ./openssl.cnf -in server_req.pem -out server_cert.pem
Using configuration from ./openssl.cnf
Enter pass phrase for /home/brandon/CA/private/cakey.pem: pA55w0rD
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            f2:c8:4a:d0:f5:09:28:b8
        Validity
            Not Before: Nov  1 02:32:07 2007 GMT
            Not After : Oct 31 02:32:07 2008 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = The Great State You Live In
            organizationName          = SmallNetBuilder
            organizationalUnitName    = Security Division
            commonName                = server
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                71:A0:FB:1C:35:B7:B8:1D:1C:A4:C6:DF:A5:BA:80:6E:89:09:B7:CE
            X509v3 Authority Key Identifier:
                keyid:D0:1E:BF:7B:A8:26:B9:98:B0:81:98:2E:E7:96:CA:57:3D:76:F3:02

Certificate is to be certified until Oct 31 02:32:07 2008 GMT (365 days)
Sign the certificate? [y/n]: y


1 out of 1 certificate requests certified, commit? [y/n] y
Write out database with 1 new entries
Data Base Updated

Update 11/19/2007

Note: If you're planning on using Windows to manage the wireless connection on the clients use the X509v3 extensions we added earlier instead:

~/CA $ openssl ca -config ./openssl.cnf -extensions xpserver_ext \
 -in server_req.pem -out server_cert.pem

Create key pairs for your clients using the exact same command. Just change the key filenames and the "Common Name" to something meaningful for your application. Here's what I used for this set up:

~/CA $ openssl req -new -config ./openssl.cnf -keyout linux_laptop_key.pem \
-out linux_laptop_req.pem
...
Common Name (eg, YOUR name) []: linux_laptop

And:

~/CA $ openssl req -new -config ./openssl.cnf -keyout winxp_laptop_key.pem \
-out winxp_laptop_req.pem
...
Common Name (eg, YOUR name) []: winxp_laptop

Sign both certificate requests the same way we signed the server's certificate. Here's the command for my Linux laptop key:

~/CA $ openssl ca -config ./openssl.cnf -in linux_laptop_req.pem \
 -out linux_laptop_cert.pem

Update 11/19/2007

Again, use the X509v3 extensions if Windows is managing wireless on the clients:

~/CA $ openssl ca -config ./openssl.cnf -extensions xpclient_ext \
 -in winxp_laptop_req.pem -out winxp_laptop_cert.pem

Now we've got both pairs of keys created and signed. Windows needs a little help to understand all this security, so we have to package the client certificate coresponding private key into a PKCS#12 file. Linux is happy working with them either way, so we'll package them both for consistency.

~/CA $ openssl pkcs12 -export -clcerts -in winxp_laptop_cert.pem \
-inkey winxp_laptop_key.pem -out winxp_laptop.p12
Enter pass phrase for winxp_laptop_key.pem: pA55w0rD
Enter Export Password: pA55w0rD
Verifying - Enter Export Password: pA55w0rD

The command above uses OpenSSL's pkcs12 utility to "-export" a new PKCS#12 file. "-clcerts" tells OpenSSL to only export the client certificate and private key (in other configurations, multiple certificates and keys can be packaged into a single PKCS#12 file). Package the Linux certificate and private key using the same command.

Generating good keys relies on having a good set of "random" data to seed the key generation. While not strictly related to generating PKI keys, we'll need this data later on for FreeRAIDUS. We'll use OpenSSL to generate Diffie-Hellman parameters for symmetric key generation.

First, elevate yourself to superuser and create a directory that will house the CA certificate, server public and private keys, a dh file for Diffie-Hellman parameters and a random date file. I chose to put these in /etc/wireless; anywhere readable to FreeRADIUS is fine.

~/CA $ su
Password: pA55w0rD
/home/brandon/CA # mkdir /etc/wireless

Now, copy the server's public and private key and the CA's certificate to /etc/wireless:

/home/brandon/CA # cp cacert.pem server_cert.pem server_key.pem /etc/wireless/

Create 1024-bit Diffie-Hellman parameters with the following:

/etc/wireless # openssl dhparam -out dh 1024 

Next create a random file to seed key generation:

/etc/wireless # dd if=/dev/urandom of=random count=2