3.1.4 Certification Creation for TLS Client Authentication

For EAP-TLS and PEAPv0/1 with TLS, one more set of certificates is required for client authentication. Perform the following steps to generate this extra set of certificates. The ATWINC uses the newly created public certificate and server key certificate (for example, winc_client_private.crt and winc_client_private.key), and the Authentication server uses the newly created CA certificate (for example, radius_root.crt).

Perform the following steps to generate the certificates for TLS client authentication:

  1. Generate the CA key using the openssl genrsa -out radius_root.key 2048 command.
  2. Generate the CA certificate using the CA key and using the openssl req -new -x509 -days 365 -key radius_root.key -out radius_root.crt command.

Perform the following steps to generate the Certificate Signing Request (CSR) and public certificate:

  1. Generate a Client key using the openssl genrsa -out winc_client_private.key 2048 command.
  2. Generate the CSR using winc_client_private key (client.key) and the openssl req -new -key winc_client_private.key -out winc_client_private.csr command.
  3. Self-sign the certificate using the CA certificate and generate the public key using the openssl x509 -req -days 365 -in winc_client_private.csr -CA radius_root.crt -CAkey radius_root.key -set_serial 01 -out winc_client_private.crt command.
Figure 3-2. Certificates Required for EAP-TLS and EAP-PEAPv0/1 with TLS
  1. server.crt must be signed by winc_root.cer.
  2. winc_client_private.crt must be signed by radius_root.crt.
Note:
  • Server authentication requires the server.key, server.crt and winc_root.cer certificates.
  • Client authentication requires the radius_root.crt, winc_client_private.key and winc_client_private.crt certificates.