Ultimate wireless security guide: Self-signed certificates for your RADIUS server

Enterprise wireless LAN security is a persistent concern for every system administrator and CIO. This article, part of the TechRepublic ultimate guide to enterprise wireless LAN security, describes self-signed digital certificates, which can be implemented to avoid the use of public or private Certificate Authorities.

The complete TechRepublic Ultimate Wireless Security Guide is available as a download in PDF form.

Self-signed digital certificates is a way avoiding the use of public or private Certificate Authorities. They have long been used by developers for the purpose of testing secure Web servers and code signing but have not been used in production systems. Few people know of this method or use it for RADIUS PEAP authentication and it has been difficult to find any documentation anywhere on the Internet or books explaining how to do this.

The concept of self-signed digital certificate is similar to Pretty Good Privacy (PGP) because it doesn't use the Certificate Authority model. Although both PKI and PGP are part of the broader umbrella of PKC, digital certificates were designed to conform to the PKI trust model made up of centrally trusted CAs while PGP used a freeform peer-to-peer method of establishing trust.

For example, a PGP user would generate their own public and private key pair and then post the public key to their own public Website for all to verify. Because of this model of establishing trust, there is no need for a public or private CA which is the biggest impediment to secure authentication protocols such as SSL and PEAP.

To create a self-signed digital certificate, one would simply use a utility (shown in next section) to generate a digital certificate with a digital signature. The difference here is that instead of using an external trusted CA (analogous to a Notary) to sign the digital certificate, the utility would simply sign the certificate itself.

Once the digital certificate is generated, a pubic version of the digital certificate containing the only the public key called a "root certificate" can be exported and be made publicly accessible. The root certificate can be distributed by any means (even on a public Website) without fear of compromising the certificate since the private key is kept private. As with any PKC technology such as PGP or PKI, there is no practical method of deriving the private key from the public key. Once a self-signed digital certificate, users can securely authenticate against that RADIUS server using PEAP authentication.

Microsoft IIS 6.0 Resource Kit

As soon as I thought of using self-signed digital certificates for PEAP authentication, I began looking for a simple utility for creating self-signed digital certificates. After an extensive search, I found within the Microsoft IIS 6.0 Resource Kit an interesting command line utility called SelfSSL.exe which can create self-signed digital certificates. Although it's intended to be used for Microsoft IIS 6.0 SSL Web server testing, it works for many other applications as well including PEAP since the certificate it generates is a standard X.509 certificate. After a quick test in the lab, it became obvious that this was a good alternative to building a PKI Certificate Authority to simplify PEAP authentication. Download a copy of the Microsoft IIS 6.0 Resource kit here

When you install it, you only need to install the 332 KB SelfSSL 1.0 component of the Resource Kit. (Figure A)

Figure A

SelffSSL 1.0 Installation Wizard

The SelfSSL.exe tool should work with most RADIUS/AAA Authentication Servers and I've verified this on Microsoft IAS server. On your Authentication Server, open up a command prompt and go to the directory where you installed it (default -- C:\Program Files\IIS Resources\SelfSSL). You then type the following command.

selfssl /N:CN=ServerName.YourDomain.com /K:1024 /V:1825 /S:1 /P:443
  • /N:CN should be set to your ServerName and your fully qualified domain name.
  • /K: typically set to 1024. 1024 is the number of bits allocated to the RSA key.
  • /V: is the number of days before the certificate expires. 1825 days is 5 years.
  • /S: is the site number in IIS.
  • /P: is the TCP port number. 443 is the standard SSL port.

Note that /S: and /P: are irrelevant in our case since you don't need IIS running on your Authentication Server. As a general rule of thumb for security sake, you run as few services on your server as possible. If you don't have IIS installed, executing the SelfSSL command as shown above will end with an error message "Error opening metabase: 0x80040154". That just means the IIS site was not found but you can ignore that error message since the Certificate you need for PEAP authentication will have already been generated.

Creating the root certificate

Once the digital certificate has been generated on your authentication server, you will need to export the root certificate for this Self Signed Certificate. The digital certificate is different from the root certificate. The digital certificate contains the public and private key pairs. The root certificate only contains the public key and a self proclamation that "I am a root certificate". You will need this root certificate for publication on a Web-server or file-server for manual root certificate deployment or you can import it in to your Active Directory Group Policy for automatic root certificate Deployment.

To begin, you'll need to open an MMC console by clicking Start | Run. Then type "mmc" and OK. You will see the following console appear (Figure B). From there, you'll click "ADD/Remove Snap-in...".

Figure B

MMC Console

You'll then see this screen (Figure C). Click on the "ADD" button.

Figure C

Add/Remove Snap-in

On this screen (Figure D), highlight "Certificates" and click on "Add" again.

Figure D


Select "Computer account" and click "Next". (Figure E)

Figure E

Computer account

Then select "Local computer" as shown below in Figure F and click "Finish".

Figure F

Local computer

You will see the resulting console appear. (Figure G)

Figure G

Console root

Expand "Certificates (Local Computer) to reveal the following. Right click on "MyAuthServ.MyDomain" or whatever you used for your SelfSSL "/N:CN" argument, hit "All Tasks" and then choose "Export". (Figure H)

Figure H


You will see the following wizard (Figure I). Choose "Next".

Figure I

Certificate Export Wizard

For this step, make sure you DO NOT export the "Private Key" because that must be kept private on the server. If you use the "Yes, export the private key" feature, that allows you to make a backup of the digital certificate but you want to guard that file in a protected area. Anyone who gets that file compromises your digital certificate because they now have a copy of your private key. Exporting the private key also lets you take that digital certificate and copy it to a redundant RADIUS server so you can import it there without having to generate a second key. If you have more than one RADIUS authentication server, make sure you copy the certificate over and don't generate a second key unless you want to complicate deployment matters by having to deploy two root certificates. (Figure J)

Figure J

Not the private key

Use the "DER" format because it is compatible with Windows and Windows Mobile devices (Figure K). Windows doesn't care what format it's in but Windows Mobile does.

Figure K

File format

Give the certificate a path and file name. (Figure L) You'll need to note the name for later use.

Figure L

Path and file name

Hit "Finish" and you've just exported your Self Signed root certificate to a file. (Figure M)

Figure M


Now you're have a self-signed root certificate ready to be deployed to the clients automatically or manually along with the digital certificate on your authentication server ready to use. We'll discuss how you actually use this certificate on our Microsoft IAS RADIUS server configuration guide.