• School of Computer Science
  Personal Web Page
• Stephen Pillinger
• Projects
• Useful Resources
  • WDS Unattended Installs
  • PEAP certificates
  • Active Directory passwords
  • Synchronising Lightning and Exchange
  • OpenSSH and Windows 2003 server
  • Resizing NTFS partitions via PXE under Linux
  • Generating media barcodes
• System Support

Generating windows IAS PEAP & LDAPS certificates using OpenSSL

It is possible to generate a signed certificate for Windows Internet Authentication Service (IAS) and LDAPS access to an Active Directory using OpenSSL.

You need to generate a private/public key pair sign it with your chosen CA, convert it to PKCS12 format and then import into your Windows certificate store.

Sounds simple - it is until you find that Windows requires the PKCS12 file to contain a couple of Microsoft specific Bag Attributes. Namely the Crypto Graphic Service Provider (oid=1.3.6.1.4.1.311.17.1) set to 'Microsoft RSA SChannel Cryptographic Provider' and LocalKeySet (oid=1.3.6.1.4.1.311.17.2) set to an empty string.

OpenSSL currently doesn't support LocalKeySet so it's necessary to patch it yourself.

I have a patches for various versions of OpenSSL. The concept for these patches was derived from a patch originally written by Daniel Carroll for version 0.9.7d.

• openssl-0.9.8a
• openssl-0.9.8e
• openssl-0.9.8g

Once you've got your new patched version of OpenSSL you need to generate a CSR in the usual way and get it signed by a CA. There are a few requirements that the certificate must comply with in order to work:

• The certificate must chain to a trusted CA.
• The X509 Extended Key Usage must contain Server Authentication (oid=1.3.6.1.5.5.7.3.1).
• The name in the subject line of the certificate must match the fully qualified machine name.
  • For LDAPS the subject line must match the full computer name including the Active Directory domain (eg. hostname.ad-domain.domain) as indicted by the Computer Name tab of the System Properties.
• The certificate must pass the CryptoAPI certificate store checks - in order to do this the PKCS12 file must have the bag attributes listed above.

To add the extra bag attributes use the following command:

openssl pkcs12 -name "PEAP Certificate" -export -in peap.pem -out peap.p12 -CSP 'Microsoft RSA SChannel Cryptographic Provider' -LMK

Import the PKCS12 file into your machines personal certificate store and it should now work with PEAP or LDAP.

This is an example shell script I use to generate the certificates. In order to ensure that the certificate contains the correct extendedKeyUsage attributes you will need to add the following to your openssl.conf file:

[ sign_ias_csr ]
subjectKeyIdentifier            = hash
authorityKeyIdentifier          = keyid,issuer:always
keyUsage                        = digitalSignature, keyEncipherment
extendedKeyUsage                = clientAuth,serverAuth