From: nolade Date: Tue, 22 Apr 2025 20:32:24 +0000 (-0400) Subject: docs: update os/security certificates section X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bffd52121b536a696b6489c2b5e9b02595bd476b;p=thirdparty%2Ffreeradius-server.git docs: update os/security certificates section --- diff --git a/doc/antora/modules/howto/nav.adoc b/doc/antora/modules/howto/nav.adoc index 2125da5503d..eceefbaed55 100644 --- a/doc/antora/modules/howto/nav.adoc +++ b/doc/antora/modules/howto/nav.adoc @@ -83,8 +83,8 @@ **** xref:protocols/radius/proxy_config.adoc[Proxy configuration] ***** xref:protocols/radius/proxy_extensions.adoc[Proxy Extensions] -** Security Certificates -*** xref:os/letsencrypt.adoc[Using LetsEncrypt certificates] +** xref:os/index.adoc[Security Certificates] +*** xref:os/letsencrypt.adoc[LetsEncrypt] ** Vendors *** xref:vendors/ascend.adoc[Ascend] diff --git a/doc/antora/modules/howto/pages/os/index.adoc b/doc/antora/modules/howto/pages/os/index.adoc new file mode 100644 index 00000000000..597e0efe6c0 --- /dev/null +++ b/doc/antora/modules/howto/pages/os/index.adoc @@ -0,0 +1,7 @@ += Security Certificates + +FreeRADIUS supports security certificates and uses them for various authentication methods. FreeRADIUS can generate and manage its own certificates. Alternatively, you can install certificates from an external Certificate Authorities (CAs). + +EAP-TLS is a secure authentication method that relies on digital certificates to verify the identity of both the client and the server. See the following section to learn how to install and manage your certificates: + +* xref:os/letsencrypt.adoc[LetsEncrypt] diff --git a/doc/antora/modules/howto/pages/os/letsencrypt.adoc b/doc/antora/modules/howto/pages/os/letsencrypt.adoc index ab0239c2173..5be328b7c47 100644 --- a/doc/antora/modules/howto/pages/os/letsencrypt.adoc +++ b/doc/antora/modules/howto/pages/os/letsencrypt.adoc @@ -1,9 +1,9 @@ -= Using LetsEncrypt certificates += LetsEncrypt When configuring FreeRADIUS to use EAP, the use of keys and certificates are essential. Unfortunately this is one of those areas that can be hard to get right and prone to problems. Notably, -certificates can expiry at very inopportune moments. At which point +certificates can expire at very inopportune moments. At which point no one can get online. Our recommendation is always to use a private CA for both server @@ -13,11 +13,13 @@ can put many people off of this route. In that case, using a public CA certificate for the server is often seen as the most convenient answer, even if it is not the most secure. -WARNING: Never configure FreeRADIUS to use a public CA root in the +[WARNING] +==== +Never configure FreeRADIUS to use a public CA root in the `ca_file` or `ca_path` EAP module settings. This would potentially allow any secondary (intermediate) CA signed by that public CA to issue client certificates, and be authenticated by your server! - +==== == Prerequisites @@ -27,7 +29,7 @@ The instructions here depend on the following criteria: certificate for your RADIUS server, and are aware of the security considerations in doing so. -- You wish to use https://letsencrypt.org/[LetsEncrypt[ for this +- You wish to use https://letsencrypt.org/[LetsEncrypt] for this purpose, and want certificate renewals (usually every 2-3 months) to be automatic. @@ -79,12 +81,12 @@ based systems, `radius` if installed from source, or some other user. [NOTE] -=== +==== You *must* have a public IP address for the server, and there *must* be a DNS entry (of the name of the certificate you will be requesting) pointing to this IP. The server *must* be reachable on port 80 (HTTP) from the Internet. -=== +==== Install the `certbot` utility from LetsEncrypt. On Debian it can be installed from the default repositories: