2. Obtaining Certificates
OpenSSL must be installed to use either EAP-TLS,
EAP-TTLS, or PEAP!
When using EAP-TLS, both the Authentication Server and all the
Supplicants (clients) need certificates [RFC2459] . Using
EAP-TTLS or PEAP, only the Authentication Server requires
certificates; Supplicant certificates are optional.
You get certificates from the local certificate authority (CA). If
there is no local CA available, OpenSSL
may be used to generate self-signed certificates.
Included with the FreeRADIUS source are
some helper scripts to generate self-signed certificates. The scripts
are located under the scripts/ folder included
with the FreeRADIUS source:
CA.all is a shell script that generates
certificates based on some questions it
ask. CA.certs generates certificates
non-interactively based on pre-defined information at the start of
The scripts uses a Perl script called CA.pl,
included with OpenSSL. The path to this Perl script
in CA.all and CA.certs may
need to be changed to make it work.