FireBrick Road Warrior Certificate Authentication
It is possible to use Client Certificate authentication instead of using EAP Users.
This page is a work-in-progress and is not currently complete.
Step 1 - Generating Certificates
Creating Certificates
Follow the guidance at FireBrick Road Warrior Certificates to generate the usual set of certificates required for Road Warrior.
Generate a Client Key
Using the make-key script you used during the previous steps to generate your certificates, you will need to generate a Client Key for your device.
./make-key client-key.pem
Generate the Client Certificate
Using a tool such as wget, download the make-client-cert script. This is a modified version of the make-cert script that changes extended=extendedKeyUsage=serverAuth to extended=extendedKeyUsage=clientAuth, to generate the client certificate.
wget http://www.firebrick.co.uk/tools/make-client-cert
Once downloaded, run the script to generate your Client Certificate, remembering to change the FQDN to the one you are using for your FireBrick.
./make-client-cert DN="/C=GB/O=Server/CN=server.example.com" FQDN=server.example.com KEY=client-key.pem ISSUER-KEY=ca-key.pem ISSUER=ca-cert.pem client-cert.pem
Convert your Client Certificate to a PKCS#12 file
The .pfx file, in PKCS #12 format is your actual Client Certificate that you will install on the end-device, such as Android or iOS.
openssl pkcs12 -export -out client.pfx -inkey client-key.pem -in client-cert.pem -certfile ca-cert.pem
Remember to set a password on this - you will need to use it when you import the certificate to your device.