CA certificate on RFS7000 backup

// Expert user has replied.
s sun zhiguo 3 years 6 months ago
2 8 0

Hi all, My customer will use PEAP+CA certificate security on MC70. And will utilize RFS7000 integrated server certificate and redius server. One question, if host goes down, Can we migrate the same security  to backup switch(RFS7000)??  Is that means Host and backup switch must have the same database of certificate?? As we know, Certificate and validate are pair occur. Thanks for your kindly input!! sunzhiguo

Please Register or Login to post a reply

8 Replies

s sun zhiguo

Hi Kevin, I have checked the format of CA certificate is Base64.  But it can't opened on MC70, Mobile 5.0 system. Pls have a test on your device,if possible. Thanks sunzhiguo

R Robert Caporino

sunzhiguo You need to export the CA as a DER encoded binary X509 to install on WM devices. Make sure that you copy it to the My Documents folder and install from there. I have not had much luck with installing from the App directory. You will usually get an error when trying to install certificate from he.

s sun zhiguo

Hi , Thanks your kindly guide!! I have get the CA certificate and Server cert, but both of them can not be installed on MC70. The error Meg" can not open the file".  I have install them on Notebook, it work well. So  what happens on MC70? Thanks!! sunzhiguo

s sun zhiguo

Hi , Thanks your kindly guide!! I have get the CA certificate and Server cert, but both of them can not be installed on MC70. The error Meg" can not open the file".  I have install them on Notebook, it work well. So  what happens on MC70? Thanks!! sunzhiguo

K Kevin Marshall

For PEAP authentication, the MC70 will only require the CA root certificate. The MC70 and does not require any client or server certificate. The CA root certificate is required to validate the server certificate installed on the RF Switch and ensure mutual authentication. It basically allows the MU to verify that the end-point its about to forward credentials to is valid and trusted. In regards to the CA root certificate installation, my only suggestion would be to ensure that the CA Root certificate is in a PEM encoded format (Base64). You can verify this by opening the certificate in a text editor where you should see '-----BEGIN CERTIFICATE-----', a bunch of text followed by '-----END CERTIFICATE-----'. A CA root certificate in this format should install on any device! Its posible that the MC70 also requires something else to PEAP to function. For example it may only support PEAP-TLS authentication in which case a user certificate would also be required. I will have to defer this to the MC70 gurus as its been a while since I have played with Windows Mobile. Regards, Kevin

R Robert Caporino

Oops... attached the wrong one. Use this one.

K Kevin Marshall

All, A detailed How-To guide for configuring certificates in WiNG is available on Motopedia ( http://motopedia.mot.com/wiki/HOW-TOs) as well as the EWLAN web site ( http://compass.mot.com/go/ewlan-guides)  Regards, Kevin

R Robert Caporino

sunzhiguo The best way to accomplish this is to generate a CSR (certificate signing request) for each RFS7000 and have it signed by the customers CA authority and import the signed certificate along with the CA certificate back into the switch this will create a new trustpoint that can be used for the RADIUS server. Each MC70 would need to have the CA certificate installed (remember to set the correct date and time). You would also need to have the same database of users configured on each RFS. once this is done if the primary fails user will still be able to authenticate against the backup. I attached a doc on how to generate certificate signing requests from the RFS.

CONTACT
Can’t find what you’re looking for?