...
| Info |
|---|
IMPORTANT: adapt the settings/openssl-rsa.cnf and settings/openssl-ecdsa.cnf settings before issuing the CA. In particular:
(for reference: the end user certificates created by the intermediate CA will have the following URLs for these fields:
|
| Info |
|---|
In the generation scripts themselves, change the following parameters:
need to point to the future URL of the CRL/OCSP Responder. |
...
The script will be executed by the dev team during initial installation, directly on one of the RADIUS servers (auth-1.hosted.eduroam.org) so that the server certificate private keys are immediately on the right host and need no copying.
...
Copy the server certificates, the private keys and the FreeRADIUS config snippets to the other RADIUS servers in the cluster (auth-2.hosted.eduroam.org).
Store the CA certificate private key set offline in a safe place.
Important: the CA certificates need to contain a valid URL for their CRL Distribution Point. The CRLDP is set by the addnro.py script as: CRLDP.0=http://ocsp.hosted.eduroam.org/server/<NRO>/crl/root.crl (where <NRO> is the ccTLD of the NRO in question, in capitalised letters - e.g. "PL")
Service Operation
Web Service (hosted.eduroam.org)
...