Cryptography

This section is just the Web interface to the OpenSSL toolkit. The operation should be straight forward; first you need to generate a Certificate Authority (CA) certificate which is a self-signed master certificate used to sign all the other issued certificates.

The most important field is the Common Name. For the CA certificate it is advised to clearly state so, for example: " University of Maribor CA ". For the radius authentication server you may use any text you find suitable. For example: " University of Maribor Eduroam AAA server". This tool can be used to generate certificates also for other servers (https, pop3s, imaps, ...) but then you need to make sure that you enter the server FQDN (Fully Qualified Domain Name), for example: "www.arnes.si".

Warning: You should be aware that the certificate requests and private key should be generated on the server they are meant to be used at and then only a request is sent to the CA server which signs it and sends back a valid certificates. This way the private key never leaves the server it belongs to. In our case the certificate key, request and certificate are generated on the Eduroam server and need to be exported to their respective server.

Warning 2: If you use this CA certificate to sign certificates for other purposes than the Eduroam AAI server, they can also be used to represent the valid Eduroam authentication server. So if someone steals for example your web server private key he can pose as a valid Eduroam server for you organization.

With these security warnings in mind, it's OK to use this tool to generate the certificates for other services. And this way you only need to distribute one CA server for the whole organization. Same as usual: it's security vs. usability.

For the countries that don't have states you can insert a dot (".") to keep the field empty or just type in the full country name.

After you generate a CA certificate you need to generate the Eduroam AAI server certificate. After it is generated you need to select it from the list and mark it for Eduroam use with the Use the certificate for Eduroam button.

If you create a new CA certificate it will overwrite the old one and render all the deployed certificates unusable.

hosted by: