Thursday, October 11, 2007

Generating windows IAS PEAP & LDAPS certificates using OpenSSL

Today I spent nice afternoon by finding out how to create SSL certificate
using OpenSSL for Windows 2003 Internet Authentication Service (IAS). I'm
using IAS for authentication of my WiFi clients. Generating such
certificate using OpenSSL is not that much easy, because MS requires lot
of extended atributes and I could not find out which they are. Yep, MS
wants you to use its Microsoft Certification Authority. But I'm an
openssl guy and have my CA generated already using openssl.

Here are the steps which helps me to accomplish this dirty task (Big
thanks to Stephen Pillinger):


Generating windows IAS PEAP & LDAPS certificates using OpenSSL


It is possible to generate a signed certificate for Windows Internet
Authentication Service (IAS) and LDAPS access to an Active Directory
using OpenSSL.


You need to generate a private/public key pair sign it with your chosen
CA, convert it to PKCS12 format and then import into your Windows
certificate store.


Sounds simple - it is until you find that Windows requires the PKCS12
file to contain a couple of Microsoft specific Bag Attributes. Namely
the Crypto Graphic Service Provider (oid=1.3.6.1.4.1.311.17.1) set to
'Microsoft RSA SChannel Cryptographic Provider' and LocalKeySet
(oid=1.3.6.1.4.1.311.17.2) set to an empty string.


OpenSSL currently doesn't appear to support LocalKeySet so it's
necessary to patch it yourself.


Download this patch for version 0.9.8a of OpenSSL it was based on a patch by
Daniel Carroll for version 0.9.7d and modified slightly for later versions.


Once you've got your new patched version of OpenSSL you need to generate
a CSR in the usual way and get it signed by a CA. There are a few
requirements that the certificate must comply with in order to work:


* The certificate must chain to a trusted CA.
* The X509 Extended Key Usage must contain Server Authentication
(oid=1.3.6.1.5.5.7.3.1).
* The name in the subject line of the certificate must match the
fully qualified machine name.
o For LDAPS the subject line must match the full computer
name including the Active Directory domain (eg.
hostname.ad-domain.domain) as indicted by the Computer Name tab of the
System Properties.
* The certificate must pass the CryptoAPI certificate store checks
- in order to do this the PKCS12 file must have the bag attributes
listed above.


To add the extra bag attributes use the following command:


openssl pkcs12 -name "PEAP Certificate" -export -in peap.pem -out
peap.p12 -CSP 'Microsoft RSA SChannel Cryptographic Provider' -LMK


Import the PKCS12 file into your machines personal certificate store and
it should now work with PEAP or LDAP.


In order to ensure that the certificate contains the correct
extendedKeyUsage attributes you will need to add the following to your
openssl.conf file:


[ sign_ias_csr ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth,serverAuth

5 comments:

Anonymous said...

You patch link is dead. I want to try it out. I'm having this exact issue.

Anonymous said...

Actually I found a source with more patches for multiple versions of openssl

http://www.cs.bham.ac.uk/~smp/resources/peap/

Anonymous said...

does latest openssl version include this patch ?

Anonymous said...

Did anyone try this with the new NPS server on windows 2008 server?

Would this work with a CA such as verisign?

I am considering trying this out with NPS server and using a CA like verisign to authenticate my radius server as the genuine thing to my clients.

NPS is the IAS equivalent on the 2008 platform.

Please advice.

Anonymous said...

Thank you man, just created a proper certificate for IAS and 1x. You're great!