IAS PEAP certificates
Generating windows IAS PEAP & LDAPS certificates using OpenSSL
It is possible to generate a signed certificate for Windows Internet Authentication Service (IAS) and LDAPS access to an Active Directory using OpenSSL.
You need to generate a private/public key pair sign it with your chosen CA, convert it to PKCS12 format and then import into your Windows certificate store.
Sounds simple - it is until you find that Windows requires the PKCS12 file to contain a couple of Microsoft specific Bag Attributes. Namely the Crypto Graphic Service Provider (oid=220.127.116.11.4.1.311.17.1) set to 'Microsoft RSA SChannel Cryptographic Provider' and LocalKeySet (oid=18.104.22.168.4.1.311.17.2) set to an empty string.
OpenSSL currently doesn't support LocalKeySet so it's necessary to patch it yourself.
I have a patches for various versions of OpenSSL. The concept for these patches was derived from a patch originally written by Daniel Carroll for version 0.9.7d.
Once you've got your new patched version of OpenSSL you need to generate a CSR in the usual way and get it signed by a CA. There are a few requirements that the certificate must comply with in order to work:
- The certificate must chain to a trusted CA.
- The X509 Extended Key Usage must contain Server Authentication (oid=22.214.171.124.126.96.36.199.1).
- The name in the subject line of the certificate must match the fully qualified machine name.
- For LDAPS the subject line must match the full computer name including the Active Directory domain (eg. hostname.ad-domain.domain) as indicted by the Computer Name tab of the System Properties.
- The certificate must pass the CryptoAPI certificate store checks - in order to do this the PKCS12 file must have the bag attributes listed above.
To add the extra bag attributes use the following command:
openssl pkcs12 -name "PEAP Certificate" -export -in peap.pem -out peap.p12 -CSP 'Microsoft RSA SChannel Cryptographic Provider' -LMK
Import the PKCS12 file into your machines personal certificate store and it should now work with PEAP or LDAP.
This is an example shell script I use to generate the certificates. In order to ensure that the certificate contains the correct extendedKeyUsage attributes you will need to add the following to your openssl.conf file:
[ sign_ias_csr ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = clientAuth,serverAuth