I love putting in extra effort if it will make things go more smoothly in the future. Certificate authentication is one of those things that can really take away a lot of the headache of wireless network authentication. In order to really achieve effective usability with certificates, you want to make sure that it will work with all devices. Simply using certificate authentication for domain joined Windows based PCs is just going to frustrate all involved. This solution should incorporate all devices in order to be successful. Recently I had something trip me up for quite a while actually. When generating a certificate never use another account to request the certificate.
I thought if I used my administrator account it would make things easier and go more smoothly since being an administrator gave me more options when generating certificates. That was my mistake. I used an administrator account to log on to the certificate request site (this setup is using Microsoft certificate server), and from there I supplied the Certificate Signing Request (CSR) and I requested a user certificate. When these were generated, they were using the username of the administrative account I supplied not the username I was creating the certificate for. When creating a certificate via the web interface, always use the account you are generating the certificate for, or authentication will fail every time as the certificate is associated with the authenticated user.
Since I don’t have a good way to push certificates to a Linux platform, I use a manual process. Linux requires that you have a certificate, the private key, and the certificate authority. It is also going to ask for an “identity”. This identity will be the user that you are using to authenticate this connection. Ironically, it doesn’t use this identity when validating the certificate. This became very important when I used an administrative account to generate the certificate for the laptop but Microsoft Network Policy Server identifies the certificate belonging to the administrative account not to the identity supplied when connecting.
So, it is important to remember that when using a Microsoft Certificate Authority to generate your certificates, log on to the website with the account that you will be using to authenticate to NPS server.
When you create a user certificate the following steps work for me. I began by generating a certificate request and corresponding key using the following command:
openssl req -new -newkey rsa:2048 -keyout server.key -out server.csr
Of course there are many ways that this can be accomplished, this is simply an example. It is important to note that settting a passcode for this key and csr is important because the wireless connection wizard will not allow you to connect using a key file that is not protected with a password. It also makes the key file more secure and is a good practice. Once I had the key file and certificate signing request file, I copied the contents of the certificate request file and using a web browser headed over to my certificate authority web interaction page. (http\s://servername/certsrv) and entered the username and password of the user account that would be using this certificate.
I then selected request certificate,
and advanced certificate request on the next page.
This provides a box to paste the certificate signing request into and allows for a couple other options.
One of the options is to set the type of certificate you would like to generate. “User” should be selected here. The rest of the defaults should be fine for the certificate creation.
Once you submit the request and the certificate server generates the required certificates, you can save them and get ready to finish setting everything up.
Since Linux only likes certificates in the pem format, and since Microsoft generates them in the cer format, a quick conversion will be necessary to complete the steps. Using the command below, the certificate will be converted to a new pem file.
openssl x509 -inform der -in certificate.cer -out certificate.pem
Now, when connecting, select your authentication type and make sure you choose TLS for certificate authentication. You will need to supply the key file, the pem file, and the certificate authority file (which can be obtained from the certificate authority server that you generated the certificate from. It will also need to be converted to a pem file. Finally, you will need to provide the identity that will be used to connect.
That should be all that you need to successfully authenticate to a wireless network using certificates with a Linux based OS. Connecting using a Mac platform is very similar, but some of the steps are slightly different.