The complete TechRepublic Ultimate Wireless
Security Guide is available as a download in PDF form.

Self-signed digital certificates is a way avoiding the use of public or private Certificate Authorities. They
have long been used by developers for the purpose of testing secure Web servers
and code signing but have not been used in production systems. Few people know of
this method or use it for RADIUS PEAP authentication and it has been difficult to
find any documentation anywhere on the Internet or books explaining how to do this.

The concept of
self-signed digital certificate is similar to Pretty Good Privacy (PGP) because
it doesn’t use the Certificate Authority model. Although both PKI and PGP are part
of the broader umbrella of PKC, digital certificates were designed to conform to
the PKI trust model made up of centrally trusted CAs while
PGP used a freeform peer-to-peer method of establishing trust.

For example, a
PGP user would generate their own public and private key pair and then post the
public key to their own public Website for all to verify. Because of this model
of establishing trust, there is no need for a public or private CA which is the
biggest impediment to secure authentication protocols such as SSL and PEAP.

To create a self-signed
digital certificate, one would simply use a utility (shown in next section) to generate
a digital certificate with a digital signature. The difference here is that instead
of using an external trusted CA (analogous to a Notary) to sign the digital certificate,
the utility would simply sign the certificate itself.

Once the digital
certificate is generated, a pubic version of the digital certificate containing
the only the public key called a “root certificate” can be exported and
be made publicly accessible. The root certificate can be distributed by any means
(even on a public Website) without fear of compromising the certificate since the
private key is kept private. As with any PKC technology such as PGP or PKI, there
is no practical method of deriving the private key from the public key. Once a self-signed
digital certificate, users can securely authenticate against that RADIUS server
using PEAP authentication.

Microsoft IIS 6.0 Resource Kit

As soon as I thought of using self-signed digital certificates
for PEAP authentication, I began looking for a simple utility for creating self-signed
digital certificates. After an extensive search, I found within the Microsoft IIS
6.0 Resource Kit an interesting command line utility called SelfSSL.exe which can
create self-signed digital certificates. Although it’s intended to be used for Microsoft
IIS 6.0 SSL Web server testing, it works for many other applications as well including
PEAP since the certificate it generates is a standard X.509 certificate. After a
quick test in the lab, it became obvious that this was a good alternative to building
a PKI Certificate Authority to simplify PEAP authentication. Download a copy of the Microsoft
IIS 6.0 Resource kit here

When you install it, you only need to install the 332 KB
SelfSSL 1.0 component of the Resource Kit. (Figure A)

Figure A

SelffSSL 1.0 Installation Wizard

The SelfSSL.exe tool should work with most RADIUS/AAA Authentication
Servers and I’ve verified this on Microsoft IAS server. On your Authentication Server,
open up a command prompt and go to the directory where you installed it
(default — C:\Program Files\IIS Resources\SelfSSL). You then type the following command.

selfssl /N:CN=ServerName.YourDomain.com /K:1024 /V:1825 /S:1 /P:443

  • /N:CN
    should be set to your ServerName and your fully qualified
    domain name.
  • /K: typically set to 1024. 1024
    is the number of bits allocated to the RSA key.
  • /V: is the number of days before
    the certificate expires. 1825 days is 5 years.
  • /S: is the site number in IIS.
  • /P: is the TCP port number.
    443 is the standard SSL port.

Note that /S: and /P: are irrelevant in our
case since you don’t need IIS running on your Authentication Server. As a general
rule of thumb for security sake, you run as few services on your server as possible.
If you don’t have IIS installed, executing the SelfSSL
command as shown above will end with an error message “Error opening metabase: 0x80040154”. That just means the IIS site was
not found but you can ignore that error message since the Certificate you
need for PEAP authentication will have already been generated.

Creating the root certificate

Once the digital certificate has been generated on your
authentication server, you will need to export the root certificate for this Self
Signed Certificate. The digital certificate is different from the root certificate.
The digital certificate contains the public and private key pairs. The root certificate
only contains the public key and a self proclamation that “I am a root certificate”.
You will need this root certificate for publication on a Web-server or file-server
for manual root certificate deployment or you can import it in to your Active Directory
Group Policy for automatic root certificate Deployment.

To begin, you’ll need to open an MMC console by
clicking Start | Run. Then type “mmc” and OK.
You will see the following console appear (Figure
B
). From there, you’ll click “ADD/Remove Snap-in…”.

Figure B

MMC Console

You’ll then see this screen (Figure C). Click on the “ADD” button.

Figure C

Add/Remove Snap-in

On this screen (Figure
D
), highlight “Certificates” and click on “Add” again.

Figure D

Certificates

Select “Computer account” and click “Next”.
(Figure E)

Figure E

Computer account

Then select “Local computer” as shown below
in Figure F and click “Finish”.

Figure F

Local computer

You will see the resulting console appear. (Figure G)

Figure G

Console root

Expand “Certificates (Local Computer) to reveal the
following. Right click on “MyAuthServ.MyDomain”
or whatever you used for your SelfSSL “/N:CN” argument, hit “All Tasks” and then choose
“Export”. (Figure H)

Figure H

Export

You will see the following wizard (Figure I). Choose “Next”.

Figure I

Certificate Export Wizard

For this step, make sure you DO NOT export the “Private
Key” because that must be kept private on the server. If you use the “Yes,
export the private key” feature, that allows you to make a backup of the digital
certificate but you want to guard that file in a protected area. Anyone who gets
that file compromises your digital certificate because they now have a copy of your
private key. Exporting the private key also lets you take that digital certificate
and copy it to a redundant RADIUS server so you can import it there without having
to generate a second key. If you have more than one RADIUS authentication server,
make sure you copy the certificate over and don’t generate a second key unless you
want to complicate deployment matters by having to deploy two root certificates.
(Figure J)

Figure J

Not the private key

Use the “DER” format because it is compatible
with Windows and Windows Mobile devices (Figure
K
). Windows doesn’t care what format it’s in but Windows Mobile does.

Figure K

File format

Give the certificate a path and file name. (Figure L) You’ll need to note the name for
later use.

Figure L

Path and file name

Hit “Finish” and you’ve just exported your Self
Signed root certificate to a file. (Figure
M
)

Figure M

Finish

Now you’re have a self-signed root certificate ready to
be deployed to the clients automatically
or manually along with the digital
certificate on your authentication server ready to use. We’ll discuss how you actually
use this certificate on our Microsoft
IAS RADIUS server configuration guide.