freeradius/conf/server.cnf

[ ca ]
default_ca		= CA_default

[ CA_default ]
dir			= ./
certs			= $dir
crl_dir			= $dir/crl
database		= $dir/index.txt
new_certs_dir		= $dir
certificate		= $dir/server.pem
serial			= $dir/serial
crl			= $dir/crl.pem
private_key		= $dir/server.key
RANDFILE		= $dir/.rand
name_opt		= ca_default
cert_opt		= ca_default
default_days		= 3650
default_crl_days	= 30
default_md		= sha256
preserve		= no
policy			= policy_match

[ policy_match ]
countryName		= match
stateOrProvinceName	= match
organizationName	= match
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

[ policy_anything ]
countryName		= optional
stateOrProvinceName	= optional
localityName		= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

[ req ]
prompt			= no
distinguished_name	= server
default_bits		= 2048
input_password		= SuperSecretPassword1234
output_password		= SuperSecretPassword1234
req_extensions		= v3_req

[server]
countryName		= FR
stateOrProvinceName	= Radius
localityName		= Somewhere
organizationName	= Example Inc.
emailAddress		= admin@example.org
commonName		= "Example Server Certificate"

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

#  This should be a host name of the RADIUS server.
#  Note that the host name is exchanged in EAP *before*
#  the user machine has network access.  So the host name
#  here doesn't really have to match anything in DNS.
[alt_names]
DNS.1 = radius.example.com

# NAIRealm from RFC 7585
otherName.0 = 1.3.6.1.5.5.7.8.8;FORMAT:UTF8,UTF8:*.example.com
Add: Freeradius && LDAP config 2023-05-13 00:42:30 +02:00			`[ ca ]`
			`default_ca = CA_default`

			`[ CA_default ]`
			`dir = ./`
			`certs = $dir`
			`crl_dir = $dir/crl`
			`database = $dir/index.txt`
			`new_certs_dir = $dir`
			`certificate = $dir/server.pem`
			`serial = $dir/serial`
			`crl = $dir/crl.pem`
			`private_key = $dir/server.key`
			`RANDFILE = $dir/.rand`
			`name_opt = ca_default`
			`cert_opt = ca_default`
			`default_days = 3650`
			`default_crl_days = 30`
			`default_md = sha256`
			`preserve = no`
			`policy = policy_match`

			`[ policy_match ]`
			`countryName = match`
			`stateOrProvinceName = match`
			`organizationName = match`
			`organizationalUnitName = optional`
			`commonName = supplied`
			`emailAddress = optional`

			`[ policy_anything ]`
			`countryName = optional`
			`stateOrProvinceName = optional`
			`localityName = optional`
			`organizationName = optional`
			`organizationalUnitName = optional`
			`commonName = supplied`
			`emailAddress = optional`

			`[ req ]`
			`prompt = no`
			`distinguished_name = server`
			`default_bits = 2048`
			`input_password = SuperSecretPassword1234`
			`output_password = SuperSecretPassword1234`
			`req_extensions = v3_req`

			`[server]`
			`countryName = FR`
			`stateOrProvinceName = Radius`
			`localityName = Somewhere`
			`organizationName = Example Inc.`
			`emailAddress = admin@example.org`
			`commonName = "Example Server Certificate"`

			`[ v3_req ]`
			`basicConstraints = CA:FALSE`
			`keyUsage = nonRepudiation, digitalSignature, keyEncipherment`
			`subjectAltName = @alt_names`

			`# This should be a host name of the RADIUS server.`
			`# Note that the host name is exchanged in EAP before`
			`# the user machine has network access. So the host name`
			`# here doesn't really have to match anything in DNS.`
			`[alt_names]`
			`DNS.1 = radius.example.com`

			`# NAIRealm from RFC 7585`
			`otherName.0 = 1.3.6.1.5.5.7.8.8;FORMAT:UTF8,UTF8:*.example.com`