FreeRADIUS 证书即将过期

FreeRADIUS 证书即将过期

最近我创建了一个使用 Active Directory 进行身份验证的 RADIUS 服务器 (Freeradius)。我遵循此链接创建此服务器:现在,当我在 /etc/raddb/cert 中看到“server.cnf”文件时,我才意识到证书将在下个月过期。所以,我真的很担心,因为我不知道如何重新生成新证书。同样在 /etc/raddb/cert 中,有几个文件,例如:

01.pem、ca.cnf、ca.key、c​​lient.cnf、index.txt、index.txt.old、随机、串行、server.cnf、server.csr server.p12、xpextensions、bootstrap、ca.der、ca.pem、dh、index.txt.attr、Makefile、README、serial.old server.crt、server.key、server.pem

现在,我有点困惑,我到底该怎么做才能延长此证书的有效期?


半径配置文件

prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib64/freeradius
pidfile = ${run_dir}/${name}.pid
user = radiusd
group = radiusd
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
        type = auth
        ipaddr = *
        port = 0
}
listen {
        ipaddr = *
        port = 0
        type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions     = yes
extended_expressions    = yes
log {
        syslog_facility = daemon
        stripped_names = no
        auth = no
        auth_badpass = no
        auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
        max_attributes = 200
        reject_delay = 1
        status_server = yes
}
proxy_requests  = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
        start_servers = 5
        max_servers = 32
        min_spare_servers = 3
        max_spare_servers = 10
        max_requests_per_server = 0
}

modules {
        $INCLUDE ${confdir}/modules/
        $INCLUDE eap.conf
}

instantiate {
        exec
        expr
        expiration
        logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/

/etc/raddb/cert/Server.cnf

[ ca ]

default_ca              = CA_default

[ CA_default ]

dir                     = ./

certs                   = $dir

crl_dir                 = $dir/crl

database                = $dir/index.txt

new_certs_dir           = $dir

certificate             = $dir/server.pem

serial                  = $dir/serial

crl                     = $dir/crl.pem

private_key             = $dir/server.key

RANDFILE                = $dir/.rand

name_opt                = ca_default

cert_opt                = ca_default

default_days            = 60

default_crl_days        = 30

default_md              = sha1

preserve                = no

policy                  = policy_match



[ policy_match ]

countryName             = match

stateOrProvinceName     = match

organizationName        = match

organizationalUnitName  = optional

commonName              = supplied

emailAddress            = optional



[ policy_anything ]

countryName             = optional

stateOrProvinceName     = optional

localityName            = optional

organizationName        = optional

organizationalUnitName  = optional

commonName              = supplied

emailAddress            = optional



[ req ]

prompt                  = no

distinguished_name      = server

default_bits            = 2048

input_password          = whatever

output_password         = whatever



[server]

countryName             = FR

stateOrProvinceName     = Radius

localityName            = Somewhere

organizationName        = Example Inc.

emailAddress            = [email protected]

commonName              = "Example Server Certificate"

答案1

当我尝试运行“bootstrap”脚本或“make all”时,运行结束时返回此消息(仅限 60 天):

openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr  -key `grep output_password ca.cnf | 

sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config 

./server.cnf

Using configuration from ./server.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 1 (0x1)

        Validity

            Not Before: Sep 17 15:55:12 2014 GMT

            Not After : Nov 16 15:55:12 2014 GMT

        Subject:

            countryName               = FR

            stateOrProvinceName       = Radius

            organizationName          = Example Inc.

            commonName                = Example Server Certificate

            emailAddress              = [email protected]

        X509v3 extensions:

            X509v3 Extended Key Usage: 

                TLS Web Server Authentication

证书认证有效期至 2014 年 11 月 16 日 15:55:12 GMT(60 天)

相关内容