using OpenSSL for Windows 2003 Internet Authentication Service (IAS). I'm
using IAS for authentication of my WiFi clients. Generating such
certificate using OpenSSL is not that much easy, because MS requires lot
of extended atributes and I could not find out which they are. Yep, MS
wants you to use its Microsoft Certification Authority. But I'm an
openssl guy and have my CA generated already using openssl.
Here are the steps which helps me to accomplish this dirty task (Big
thanks to Stephen Pillinger):
Generating windows IAS PEAP & LDAPS certificates using OpenSSL
It is possible to generate a signed certificate for Windows Internet
Authentication Service (IAS) and LDAPS access to an Active Directory
You need to generate a private/public key pair sign it with your chosen
CA, convert it to PKCS12 format and then import into your Windows
Sounds simple - it is until you find that Windows requires the PKCS12
file to contain a couple of Microsoft specific Bag Attributes. Namely
the Crypto Graphic Service Provider (oid=18.104.22.168.4.1.311.17.1) set to
'Microsoft RSA SChannel Cryptographic Provider' and LocalKeySet
(oid=22.214.171.124.4.1.311.17.2) set to an empty string.
OpenSSL currently doesn't appear to support LocalKeySet so it's
necessary to patch it yourself.
Download this patch for version 0.9.8a of OpenSSL it was based on a patch by
Daniel Carroll for version 0.9.7d and modified slightly for later versions.
Once you've got your new patched version of OpenSSL you need to generate
a CSR in the usual way and get it signed by a CA. There are a few
requirements that the certificate must comply with in order to work:
* The certificate must chain to a trusted CA.
* The X509 Extended Key Usage must contain Server Authentication
* The name in the subject line of the certificate must match the
fully qualified machine name.
o For LDAPS the subject line must match the full computer
name including the Active Directory domain (eg.
hostname.ad-domain.domain) as indicted by the Computer Name tab of the
* The certificate must pass the CryptoAPI certificate store checks
- in order to do this the PKCS12 file must have the bag attributes
To add the extra bag attributes use the following command:
openssl pkcs12 -name "PEAP Certificate" -export -in peap.pem -out
peap.p12 -CSP 'Microsoft RSA SChannel Cryptographic Provider' -LMK
Import the PKCS12 file into your machines personal certificate store and
it should now work with PEAP or LDAP.
In order to ensure that the certificate contains the correct
extendedKeyUsage attributes you will need to add the following to your
[ sign_ias_csr ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth,serverAuth