Freeradius EAP CRL Generation

Freeradius EAP CRL Generation

If you followed my tutorial on Using A Radius Server On Ubuntu 14.04 for Wifi Authentication you may have noticed that one thing I didn't cover is how to make a Certificate Revocation List or CRL for it. It's actually pretty easy to do, but again not real well documented. My struggles with using EAP with Freeradius usually seem to revolve around the Freeradius guys saying "That's openssl, go figure it out". I'm not an OpenSSL wizard, so figuring it out took a while.

Start by enabling the CRL in your EAP configuration

We need to put both the ca.pem and the CRL into one file for Freeradius to be able to make use of it. We don't want to mess with the original ca.pem file, so edit your /etc/freeradius/eap.conf file and change the name of the ca_file and enable checking the CRL:

ca_file = ${cadir}/ca_and_crl.pem
check_crl = yes

Make a script to generate a CRL

Now we need to generate that file. Since the CRL will need to be regenerated once every 30 days you can create a script. I store mine in /root/ and added it to crontab to run nightly. You can just as easily set it to run weekly, but the CRL file has to be less than 30 days old or Freeradius will reject all authentication requests.

#!/bin/bash
cd /var/certs/freeradius
openssl ca -gencrl -keyfile ./ca.key -cert ./ca.pem -out /var/certs/freeradius/mycrl.pem -config ./ca.cnf -passin pass:mycapassword
cat /var/certs/freeradius/ca.pem /var/certs/freeradius/mycrl.pem > /var/certs/freeradius/ca_and_crl.pem
chown root:freerad /var/certs/freeradius/ca_and_crl.pem
chmod 640 /var/certs/freeradius/ca_and_crl.pem

Be sure you have changed the password in the third line to be the password used in the ca.cnf file you configured with your certificates.

Don't forget to make it executable with chmod 750 and schedule it with crontab.

Now run that script to generate your first CRL. You will also need to make a symlink to the new file with:

cd /etc/freeradius/certs/
ln -s /var/certs/freeradius/ca_and_crl.pem

To revoke a certificate

In order to revoke a certificate, say if the device is lost or the user left the company:

cd /var/certs/freeradius/
openssl ca -revoke CERT_TO_REVOKE.pem -keyfile ca.key -cert ca.pem -config ./ca.cnf

Then, simply run the script that regenerates the ca_and_crl.pem file.

Posted by Tony on Apr 05, 2016 | Servers, Freeradius, Network Security