Multiple clients' certificates management with 802.1x

My goal is to issue each device a different client certificate with EAP-TLS authentication of 802.1x (WPA2 Enterprise).

I will need your kind help with clients' certificates management. Have googled but with no direct answer to how to manage these certificates.

For now, I keep each client.cnf and 'make client' generated files to different folders, each time a client certificate added, I will have to regenerate crl of CA, and restart freeradius.

What is the best practice of keeping, managing these clients certificates? Any sharing of experience would help.

I'm quite confused here; but perhaps it's because you are doing this a different way...

  • Wouldn't you generate a client cert from the CA...hence it's already valid in your setup?
  • Isn't the client cert kept on the client?

I may be wrong on the above; but from looking at the documentation:

  • Doesn't the client.cnf file allow you to specify a directory for certs???

See: https://fossies.org/linux/freeradius-server/raddb/certs/client.cnf

I am really no expert, but the way I did it, was

For each client
  adapt client.cnf (email, common name, input password, output password)
  generate client certificate
  rename client certificate files (.people, .p12) to a client specific name

And in the index.txt file you have an index of all issued certificates with common name and email

The client specific names would e.g. be laptop_fred if I had a son called Fred with a laptop, and as email I chose something like laptop.fred@myfamilyname.

Only for my server certificate I chose my real email address.

The most important thing is to choose the correct validity default_days. In my first certificates this was only 90 days, so I had to redo all that after two and a half months again... .
Anyhow I could proof that an expired client certificate is no longer authenticated :slight_smile:

I generated all my client certificates on my raspi and then sent them to the clients via usb cable where possible, and of course the sent ones were encrypted with the output password specified in client.cnf.

...small correction: in the Makefile after creating the client certificate the client.pem file is automatically copied to a username.pem, with username being taken from client.cnf, either common name or Email, I did not check exactly...