wifi认证生产环境下证书生成(wifi认证搭建)
当我们进入测试阶段时,连接苹果电脑和笔记本发现证书需要手动信任,点击进去不是公司信息,是临时信息,如下:
手机端:
Pc端:
根据readme修改为生产证书,操作如下:
# cd /etc/raddb/
# cp -a certs/ /tmp
# ls
这里的证书是radiusd -X时生成的,当进入生产环境时,删除,修改相关配置,进行make即可。
# rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt*
# vi ca.cnf
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = ./
certs = $dir
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir
certificate = $dir/ca.pem
serial = $dir/serial
crl = $dir/crl.pem
private_key = $dir/ca.key
RANDFILE = $dir/.rand
name_opt = ca_default
cert_opt = ca_default
default_days = 60
default_crl_days = 30
default_md = sha256
preserve = no
policy = policy_match
crlDistributionPoints = URI:http://www.example.org/example_ca.crl
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
prompt = no
distinguished_name = certificate_authority
default_bits = 2048
input_password = whatever
output_password = whatever
x509_extensions = v3_ca
[certificate_authority]
countryName = FR
stateOrProvinceName = Radius
localityName = Somewhere
organizationName = Example Inc.
emailAddress = admin@example.org
commonName = "Example Certificate Authority"
[v3_ca]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = critical,CA:true
crlDistributionPoints = URI:http://www.example.org/example_ca.crl
修改[ CA_default ]中default_days 和default_crl_days
default_days = 1095
default_crl_days = 730
修改[ req ]部分中input_password和output_password
input_password = 123
output_password = 123
修改[certificate_authority]职工所有信息,按照公司实际修改即可
[server]
countryName = cn
stateOrProvinceName = beijing
localityName = beijing
organizationName = cc
emailAddress = admin@cc.com
commonName = "Cc Wifi Server Certificate"
# vi server.cnf 修改基本同上,不在重复
# vi client.cnf 修改基本同上,不在重复
然后make
# make ca.pem
# make ca.der
# make server.pem
# make server.csr
# make client.pem
生成证书后,重启服务
# systemctl restart radiusd
在访问就是Cc Wifi Server Certificate,详细信息就是上面编辑的信息了。
当然大家可以换成公司自己购买的证书,但是我问了证书厂商,苹果设备还是需要手动信任。
