Server Certificates

EAP Server Certificates

802.1X is a protocol used for secure authentication and authorization in computer networks. When implementing 802.1X authentication, the network access server (NAS) and the client device both need to authenticate each other using digital certificates.

An 802.1X server certificate is a digital certificate that is used by the authentication server to authenticate itself to the client device during the authentication process. The certificate contains information about the server, including its name and public key, which is used to establish a secure connection between the client and the server.

The server certificate is usually issued by a trusted third-party Certificate Authority (CA) and is signed using the CA's private key. When a client device connects to the network and attempts to authenticate itself, it receives the server certificate from the authentication server and checks the certificate's signature to ensure that it was issued by a trusted CA. If the certificate is valid, the client device can then proceed with the authentication process.

On EAP-TLS, EAPTTLS and EAP-PEAP the server and the clients encrypt data using the Transport Layer Security (TLS) protocol, which is a newer version of the Secure Socket Layer (SSL) protocol.

For testing purposes, SpherAAA can be configured to use TLS with self-signed certificates and keys.

Creating the Server and CA Certificate using CertGen

SpherAAA provides tools for the generation of server certificates. To generate the certificate, navigate to Configuration > Secure > CA Certificates page.

During the certificate generation, you can specify to which EAP-Type and environment you would like to apply this server certificate.

CertGen column provides several functions:

• Generate client certificate using this CA.
• Generate Server certificate using this CA.

Action colum provides:

• Manage the SCEP Server for CA certificate.
• Download CA public certificate (PEM file)
• Remove CA certificate (not recoverable!)

Server Certificates Action column provides several functions:

• Modify assigned environment and EAP-Types
• Download full certificate (PEM file), including server private key.
• Remove certificate (not recoverable!)

Next click to CA/CertGen - Generate Server Certificate button

Fill in the certificate details and click to generate.

Import / Create the Server and CA Certificate manually

1. Generate a private key for the CA:

openssl genrsa 2048 > ca-key.pem

1. Generate the X509 certificate for the CA:

openssl req -new -x509 -nodes -days 3650 \
   -key ca-key.pem \
   -out ca-cert.pem

Creating the Server's Certificate and Keys

1. Generate the private key and certificate request:

openssl req -newkey rsa:2048 -nodes -days 3650 \
   -keyout server-key.pem \
   -out server-req.pem

1. Generate the X509 certificate for the server:

openssl x509 -req -days 3650 -set_serial 01 \
   -in server-req.pem \
   -out server-cert.pem \
   -CA ca-cert.pem \
   -CAkey ca-key.pem

Creating the Client's Certificate and Keys

1. Generate the private key and certificate request:

openssl req -newkey rsa:2048 -nodes -days 3650 \
   -keyout client-key.pem \
   -out client-req.pem

1. Generate the X509 certificate for the client:

openssl x509 -req -days 3650 -set_serial 01 \
   -in client-req.pem \
   -out client-cert.pem \
   -CA ca-cert.pem \
   -CAkey ca-key.pem

Upload certificate files to SpherAAA for EAP-TTLS/PEAP/TLS

1. Go to Configuration > Secure

2. Click to Import Certificate

3. We will upload self signed certificates to SpherAAA as following:

   • Server Cert Private key: server-key.pem
   • Server Certificate: server-cert.pem
   • Root Certs: ca-cert.pem

1. After successful import, you are ready to accept TLS/TTLS or PEAP with SpherAAA.

EAP-TLS Client Certificates

To utilize EAP-TLS, follow these steps:

Create a client certificate on the CA Certificates (CertGen) page. CertGen offers several options. You can have the generated certificate sent to your email either as an attachment or through a one-time URL in formats like PEM, PKCS12, or Apple Mobileconfig file.

The generated client certificate needs to be installed on the client device. For the iOS, through Apple Device Configuration (.mobilconfig file). For Android, via the WifiManager API.

The download function for EAP-TLS client certificates encompasses several useful methods, such as:

1. Download as PEM: This method enables users to download the generated client certificate in PEM format, which is commonly used in various applications and systems.

2. Download as PKCS12: Users can also choose to download the client certificate in PKCS12 format, which is suitable for certain platforms and applications that require this specific format.

3. Email Attachment: The download function provides the option to have the generated certificate sent directly to the user's email as an attachment, making it easy to access and use.

4. One-Time URL: Alternatively, users can opt for a one-time URL that grants secure access to download the client certificate. This option ensures privacy and security during the download process.

These methods offer flexibility and convenience to users when obtaining and using their EAP-TLS client certificates.

wpa_supplicant example

By configuring "wpa_supplicant" with this information, you can seamlessly test EAP-TLS authentication for your desired Wi-Fi network.

network={
         ssid="YOUR_SSID_NAME"
         scan_ssid=1
         key_mgmt=WPA-EAP
       # pairwise=CCMP TKIP
       # group=CCMP TKIP
         eap=TLS
         identity="user@example.com"
         private_key="/etc/cert/pkey.pem" #First part of PEM file
       # private_key_passwd="password" #Passhprase for protected key
         ca_cert="/etc/cert/ca.pem" #Middle part of PEM file
         client_cert="/etc/cert/client.pem" #Last part of PEM file
     }

RADSEC

Client Certificates

Pure RADIUS is insecure, RADSEC is a method for enclosing the RADIUS protocol in a TLS tunnel. More info. The SpherAAA RADSEC client supports TLSv1.2 and TLSv1.3 .

Source IP address and shared secret are required for authentication verification, hence source address should be defined in NAS List

To use RADSEC, please generate a client certificate. After certificate generation, the following has to be downloaded:

• Client certification

• Client private key

• SpherAAA Root CA

The client's private key and certificate are stored in a PEM file that must be downloaded.

Certificate revocation

Alternative CA Certificates

if your RADSEC client doesn't support client certificates, you can import your own CA certificate (public key) into SpherAAA, and it will include it in the list of trusted CAs.

MikroTik example

1. Upload RADSEC certficate to MikroTik using Files menu:

1. Import certificate using System > Certificate

1. In the RADIUS settings, create a new RADIUS Endpoint configuration as showing below:

2. Service: depends on service

3. Address:
4. Protocol: radsec
5. Secret: Shared secret from the NAS
6. Timeout: at least 2000ms
7. Certificate: choose certificat from the list

EAP-AKA/SIM Identity

To decrypt the EAP-AKA/SIM Identity, the EAP-AKA/SIM private key must be imported. This key will be used to obtain the cleartext IMSI. The private key must be in PEM format.

Additionally, the public key must be included in the carrier-bundle. The serial number of the public key is also needed. EapAkaIdentity function resolves the corespinding private key using serial number.

• Server Cert Private key: Private key in PEM format
• Serial number: Public key serial number

To activate a private key in a specific environment, choose the corresponding switch.