Creating Certificates for the RADIUS Server and for Subscriber Devices

Create your own certification center

Creating a CA private key

  1. Create a root (self-signed) certificate from our private certificate. Go to the directory where the database is stored for our certificates and start generating.
  2. Create a private key CA (my own Certificate Authority). RSA key length of 2048 bits encryption algorithm 3DES. File name with a key - cambium-ca.key
openssl genrsa -des3 -out cambium-ca.key 2048
Generating RSA private key, 2048 bit long modulus
...................... + + +
........... + + +
e is 65537 (0x10001)
Enter pass phrase for cambium.key:
Verifying - Enter pass phrase for cambium-ca.key:
  1. While creating the private key, you must enter a passphrase, which will be closed by key (and confirmed). The Content of the key can viewed from the following command:
openssl rsa –noout –text -in cambium-ca.key

In this case you must enter the private key again.

Creating a CA certificate

  1. Generate a self-signed certificate CA:
openssl req –new -x509 -days 3650 -key cambium-ca.key -out cambium-ca.crt
  1. Enter pass phrase for cambium.key:

You are asked to enter information that will be incorporated into your certificate request.

What you enter is called a Distinguished Name or a DN.  If you enter '.', field is left blank.

-----

Country Name (2 letter country code)

State or Province Name (full name)

Locality Name (Ex. City)

Organization Name (Ex, Cambium Networks)

Organizational Unit Name (Ex. Cambium)

Common Name (Ex. cambium root CA)

Email Address (Ex. admin@cambium.com)

  1. Generating the certificate, you must enter a passphrase, with a closed key CA, and then - to fill in the required fields (company name, email, etc.); the most important of these is the Common Name - the unique name of the certification center.

In this case, as the Common name was chosen "cambium root CA", view the resulting certificate command as shown below:

openssl x509 –noout –text -in cambium-ca.crt

As a result, we see:

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            ea: 30:7 b: 69 : a2: 13:0 c: 70

        Signature Algorithm: md5WithRSAEncryption

        Issuer: C = UA, ST = Euro, L = Kiev, O = Cambium Networks, OU = Cambium,

        CN = cambium root CA / email address = admin@cambium.com

# Issued to (by us, that is self-signed)

       Validity

            Not Before: Dec 9, 2005 11:34:29 GMT

            Not After: Dec 7, 2015 11:34:29 GMT

# Validity of the certificate

        Subject: C = UA, ST = Euro, L = Kiev, O = Cambium Networks, OU = Cambium,

        CN = cambium root CA / email address = admin@cambium.com

# Filter (field) certificate

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

            RSA Public Key: (2048 bit)

                Modulus (2048 bit):

                    00: c0: ff: 50 : fd: a8: eb: 07:9 b: 17 : d1: a9: e2: a5: dc:

                    59: a7: 97:28:9 f: bc: a4: 01:16:45:37: f5: 8d: ca: 1e:

                    12: ca: 25:02:8 a: cf: ee: ae: 35:59: ed: 57:89: c7: 2b:

                    17:9 f: 8b: de: 60 : db: e5: eb: b3: de: 09:30:3 b: a9: 68:

                    40: f7: f8: 84 : f4: 6c: b2: 24:3 d: ed: 45 : a3: 8a: 66:99:

                    40: a9: 53:0 c: 75 : e3: df: f3: ef: 20:0 c: a6: 3f: f2: dd:

                    e9: 1c: f5: d1: c1: 32:4 c: 44 : fd: c1: a2: d9: e6: e0: dc:

                    04:0 c: f8: dd: 9e: 31 : aa: 9d: 60 : b0: 84 : d2: e0: b7: a5:

                    eb: 82:31:4 f: 71 : c4: ee: ab: 5c: 8e: ef: 8c: a1: 1a: 2a:

                    62: e9: e9: 36 : ff: 12 : b9: c9: ac: 0e: 4d: ac: 08:97:87:

                    d2: 30:2 f: 41 : a1: 9e: ef: 8b: bf: c6: cf: 66:70:02: ab:

                    2d: b0: 9c: 56 : b8: 13 : e8: 92:59: f5: d9: 33 : d7: 33:6 a:

                    7c: cb: 9b: 92 : ee: 4b: 22:32:73:59:70:3 f: b1: f6: 1b:

                    67:1 d: 28 : eb: bb: 4b: 5e: 61:95:43:78: d5: 3b: db: e1:

                    37 : f1: ec: 0d: db: 50:65:22: cb: f4: f9: b8: 2a: c6: 1f:

                    2b: e9: f8: 64:03:4 f: 36 : dc: 72:8 e: be: 3d: 12:8 a: ca:

                    8b: 95

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Subject Key Identifier:

4C: 80 : F5: 82:4 C: A4: 52 : DF: 9E: 0C: 0D: 64:74:68:1 E: 45 : F6: C1: C7: 68

            X509v3 Authority Key Identifier:

                keyid: 4C: 80 : F5: 82:4 C: A4: 52 : DF: 9E: 0C: 0D: 64:74:68:1 E: 45 : F6: C1: C7: 68

                DirName :/ C = UA / ST = Euro / L = Kiev / O = Cambium Networks / OU = Cambium /

                CN = cambium root CA / emailAddress = admin@cambium.com

                serial: EA: 30:7 B: 69 : A2: 13:0 C: 70

            X509v3 Basic Constraints:

                CA: TUAE

Signature Algorithm: md5WithRSAEncryption

57 : db: 0d: 2b: 27 : eb: 0a: 97:7 f: b1: 37 : b3: d1: d7: 14 : a6: 80:66:

        3d: 7c: 00:4 a: 45:1 f: 7c: 2b: 5e: 30 : b2: 72:74:9 f: 6d: 33:82: f7:

        f7: de: 54 : a9: 2b: e7: ea: 1b: 93 : bd: cc: 74:4 f: 11 : ed: 94:0 b: b9:

        b2: 1f: b1: 86:6 e: c6: 48:71:48:9 b: 2b: 0a: 36 : f3: ab: d6: f9: 75 :

        c9: 0d: 1b: e9: 2c: 85:04: fc: 17:9 a: 94 : b9: 14:0 d: 15 : d1: 1e: 8b:

        bb: 9e: 91 : ca: 40:8 c: d8: ef: dd: 4a: 75 : d0: b9: 62 : d4: ee: 1b: e5:

        b5: 7e: fa: f1: 5d: 62 : d1: 78 : b0: 34:04: bb: 60:37:8 a: a8: 74:88:

        f6: 94:3 b: c8: fb: c0: 98 : f4: 94 : e9: d5: 53:8 e: 31 : e6: 25:56: c3:

        84:7 c: 46 : b9: 09:5 f: e3: 43 : a8: 57 : c9: 3a: d9: 3d: a7: b0: 41 : db:

        ea: ca: 60:28:0 b: a3: f0: 0b: e6: d6: c0: 5b: 15:0 c: f8: 19:36:26:

        d3: 2a: 8d: c9: 67 : fe: 04:6 f: e9: bf: f9: 55 : de: 2c: 92:04:81:6 f:

        43 : d5: 94:25: af: 83 : b8: 01:22: c8: 1a: 7e: 2e: a9: 10 : b0: e5: 35 :

        a7: 17 : bf: 65 : a1: 31:55:85: ba: 10:24:71:03:3 b: d6: 71 : a4: ad:

        48:28:46:8 f: 7e: e6: b3: 8c: 37:97:4 f: 36:05:8 c: f6: d1: 40 : a8:

        c4: 58:9 b: 28

  1. Now copy the certificate and key of the CA in a public place, for example, in /etc/ssl/cambium:
mkdir /etc /ssl /cambium
cp cambium-ca. * /etc/ssl/cambium/

Issuance of certificates

Script certificate generation

  • Download (from the Cambium support web-site listed under "Certificate generation script")the script sign_cert.sh. It allows you to create server/user.
  • Edit the following lines:
ROOTCA = "cambium"
root CA name - Filename of the root certificate (without the suffix '-ca')
O = "Cambium Networks" - Name of the organization
C = "UA" - country
ST = "Euro" - staff
L = "Kiev" - city
OU = "Cambium" - unit
EMAIL = email@cambium.com - email
BITS = 2048 - Size of the generated key in bits
CLIENT_DAYS = 730 - Client certificate validity period in days
SERVER_DAYS = 1461 - Server certificate validity period in days

Lines related to the country, city, department, email, etc must be fixed (though not necessarily, this is default values that can be changed in the process of creating the certificate). Variables related to the terms of validity of the certificate can be left without changes.

Creating a server certificate (for RADIUS)

  1. Create a server certificate (option cerver_cert), file name (and certificate) radius.cambium.com
. / sign_cert.sh server_cert radius.cambium.com
create certificate key: radius.cambium.com.key
 
Generating RSA private key, 2048 bit long modulus
....... + + +
.................................. + + +
e is 65537 (0x10001)

# Enter the password which will close the key

Enter pass phrase for radius.cambium.com.key:
Verifying - Enter pass phrase for radius.cambium.com.key:
decrypt certificate key: radius.cambium.com.crt
Enter pass phrase for radius.cambium.com.key:
writing RSA key

# Create a certificate request

Create certificate request: radius.cambium.com.csr

. / sign_cert.sh radius.cambium.com server_cert

You are asked to enter information that will be incorporated into your certificate request.  What you are about to enter is what is called a Distinguished Name or a DN.  If you enter '.', the field will be left blank.

  1. Then you must specify the fields you want, like for the root certificate. Default values have already populated in square brackets. To use them simply click ENTER.
  • Your Country Name (2 letter country code):
  • State or Province Name (full name):
  • Locality Name (Ex.- city)
  • Organization Name (Ex.- Cambium Networks):
  • Organizational Unit Name (Ex.- Cambium):
  • Common Name (Ex.- radius.cambium.com):
  • Email Address (Ex.- email@cambium.com):

# Sign the certificate request

sign certificate by CA: radius.cambium.com.crt
sign ca is: cambium-ca
CA signing: radius.cambium.com.csr -> radius.cambium.com.crt:
Using configuration from ca.config
  1. Since we sign new created certificate with root certificate, we must enter the password which we used to close root certificate of our center CA
Enter pass phrase for. /.. / cambium-ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName: PRINTABLE: 'UA'
stateOrProvinceName: PRINTABLE: 'Euro'
localityName: PRINTABLE: 'Kiev'
organizationName: PRINTABLE: 'Cambium Networks'
organizationalUnitName: PRINTABLE: 'Cambium'
commonName: T61STRING: 'radius.cambium.com'
emailAddress: IA5STRING: 'email@cambium.com'
Certificate is to be certified until Dec 25 12:05:18 2013 GMT (730 days)
Everything is OK, completing work

Server certificate is created.

1 Like