diff -u -r freeradius-server-2.1.12.orig/raddb/certs/bootstrap freeradius-server-2.1.12/raddb/certs/bootstrap --- freeradius-server-2.1.12.orig/raddb/certs/bootstrap 2011-09-30 10:12:07.000000000 -0400 +++ freeradius-server-2.1.12/raddb/certs/bootstrap 2012-01-05 16:41:25.593656314 -0500 @@ -13,6 +13,9 @@ umask 027 cd `dirname $0` +# Configure openssl to use our random file, not $HOME/.rnd +export RANDFILE=random + make -h > /dev/null 2>&1 # @@ -80,3 +83,6 @@ if [ ! -f client.crt ]; then openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf fi + +chmod 0640 random || exit 1 +chown root:radiusd * || exit 1 diff -u -r freeradius-server-2.1.12.orig/raddb/certs/ca.cnf freeradius-server-2.1.12/raddb/certs/ca.cnf --- freeradius-server-2.1.12.orig/raddb/certs/ca.cnf 2011-09-30 10:12:07.000000000 -0400 +++ freeradius-server-2.1.12/raddb/certs/ca.cnf 2012-01-05 13:50:04.768217147 -0500 @@ -14,9 +14,9 @@ RANDFILE = $dir/.rand name_opt = ca_default cert_opt = ca_default -default_days = 365 +default_days = 60 default_crl_days = 30 -default_md = md5 +default_md = sha1 preserve = no policy = policy_match diff -u -r freeradius-server-2.1.12.orig/raddb/certs/client.cnf freeradius-server-2.1.12/raddb/certs/client.cnf --- freeradius-server-2.1.12.orig/raddb/certs/client.cnf 2011-09-30 10:12:07.000000000 -0400 +++ freeradius-server-2.1.12/raddb/certs/client.cnf 2012-01-05 13:50:04.768217147 -0500 @@ -14,9 +14,9 @@ RANDFILE = $dir/.rand name_opt = ca_default cert_opt = ca_default -default_days = 365 +default_days = 60 default_crl_days = 30 -default_md = md5 +default_md = sha1 preserve = no policy = policy_match diff -u -r freeradius-server-2.1.12.orig/raddb/certs/Makefile freeradius-server-2.1.12/raddb/certs/Makefile --- freeradius-server-2.1.12.orig/raddb/certs/Makefile 2011-09-30 10:12:07.000000000 -0400 +++ freeradius-server-2.1.12/raddb/certs/Makefile 2012-01-05 16:40:24.178295246 -0500 @@ -9,6 +9,9 @@ # ###################################################################### +# Configure openssl to use our random file, not $HOME/.rnd +export RANDFILE=random + DH_KEY_SIZE = 1024 # @@ -26,8 +29,8 @@ # Make the necessary files, but not client certificates. # ###################################################################### -.PHONY: all -all: index.txt serial dh random server ca +.PHONY: all permissions +all: index.txt serial dh random server ca permissions .PHONY: client client: client.pem @@ -121,6 +124,10 @@ date > ./random; \ fi +permissions: + @chmod 0640 random + @chown root:radiusd * + print: openssl x509 -text -in server.crt diff -u -r freeradius-server-2.1.12.orig/raddb/certs/server.cnf freeradius-server-2.1.12/raddb/certs/server.cnf --- freeradius-server-2.1.12.orig/raddb/certs/server.cnf 2011-09-30 10:12:07.000000000 -0400 +++ freeradius-server-2.1.12/raddb/certs/server.cnf 2012-01-05 13:50:04.769217140 -0500 @@ -14,9 +14,9 @@ RANDFILE = $dir/.rand name_opt = ca_default cert_opt = ca_default -default_days = 365 +default_days = 60 default_crl_days = 30 -default_md = md5 +default_md = sha1 preserve = no policy = policy_match diff -u -r freeradius-server-2.1.12.orig/raddb/eap.conf freeradius-server-2.1.12/raddb/eap.conf --- freeradius-server-2.1.12.orig/raddb/eap.conf 2011-09-30 10:12:07.000000000 -0400 +++ freeradius-server-2.1.12/raddb/eap.conf 2012-01-05 13:50:04.769217140 -0500 @@ -281,7 +281,11 @@ # for the server to print out an error message, # and refuse to start. # - make_cert_command = "${certdir}/bootstrap" + # Redhat RPM's run the bootstrap certificate creation + # as part of the RPM install (not upgrade), therefore + # the make_cert_command is commented out. + # + #make_cert_command = "${certdir}/bootstrap" # # Elliptical cryptography configuration