IAS PEAP certificates

Generating windows IAS PEAP & LDAPS certificates using OpenSSL

It is possible to generate a signed certificate for Windows Internet Authentication Service (IAS) and LDAPS access to an Active Directory using OpenSSL.

You need to generate a private/public key pair sign it with your chosen CA, convert it to PKCS12 format and then import into your Windows certificate store.

Sounds simple - it is until you find that Windows requires the PKCS12 file to contain a couple of Microsoft specific Bag Attributes. Namely the Crypto Graphic Service Provider (oid= set to 'Microsoft RSA SChannel Cryptographic Provider' and LocalKeySet (oid= set to an empty string.

OpenSSL currently doesn't support LocalKeySet so it's necessary to patch it yourself.

I have a patches for various versions of OpenSSL. The concept for these patches was derived from a patch originally written by Daniel Carroll for version 0.9.7d.

Once you've got your new patched version of OpenSSL you need to generate a CSR in the usual way and get it signed by a CA. There are a few requirements that the certificate must comply with in order to work:

  • The certificate must chain to a trusted CA.
  • The X509 Extended Key Usage must contain Server Authentication (oid=
  • The name in the subject line of the certificate must match the fully qualified machine name.
    • For LDAPS the subject line must match the full computer name including the Active Directory domain (eg. hostname.ad-domain.domain) as indicted by the Computer Name tab of the System Properties.
  • The certificate must pass the CryptoAPI certificate store checks - in order to do this the PKCS12 file must have the bag attributes listed above.

To add the extra bag attributes use the following command:

openssl pkcs12 -name "PEAP Certificate" -export -in peap.pem -out peap.p12 -CSP 'Microsoft RSA SChannel Cryptographic Provider' -LMK

Import the PKCS12 file into your machines personal certificate store and it should now work with PEAP or LDAP.

This is an example shell script I use to generate the certificates. In order to ensure that the certificate contains the correct extendedKeyUsage attributes you will need to add the following to your openssl.conf file:

[ sign_ias_csr ]
subjectKeyIdentifier            = hash
authorityKeyIdentifier          = keyid,issuer:always
keyUsage                        = digitalSignature, keyEncipherment
extendedKeyUsage                = clientAuth,serverAuth