Self-Help Knowledge
Base Articles

 

LinkRunner G2: 802.1x Authentication - Certificate Requirements

 
 
Views: 0
 

Certificate Requirements:
When importing a certificate to the tester, the certificate must meet with the following requirements:

  • The certificate must contain the private key.
  • It must not be a self-signed certificate. (That is not signed by itself)
  • The private key must be marked as “exportable” if exported from the Windows certificate store.
  • The certificate chain may contain at a maximum one user certificate plus up to 5 chained CA certificates.
  • The certificate or key must be one of the following discrete sizes: 512, 768, 1024, 1280, 1536, 1792, 2048, 4096 bits.


NOTE: LinkRunner G2 uses “expired” certificates without checking the date.

Supported certificate file types:
 
PEM/CRT/CER
It is the most common format that Certificate Authorities issue certificates.  It contains the ‘—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” statements. Governed by RFCs, defined in RFC's 1421 through 1424.  PEM is the most common format.

  • They are Base64 encoded ASCII files
  • They have extensions such as. (.pem, .crt, .cer, .key)


Sometimes the private key is provided in a separate file. AirCheck Manager Software does not have a mechanism to combine the private key with the client certificate. You may be able to simply concatenate the text of the private key onto the client certificate in a text editor.

PFX/P12
Initially defined by RSA in the Public-Key Cryptography Standards, the "12" variant enhanced by Microsoft. If you want to store both the public and private key in an encrypted form, then you should use the (.pfx. pkcs12.p12) formats.

  • They are Binary format files
  • They have extensions (.pfx, .p12).
  • Typically used on Windows OS to import and export certificates and Private keys 


If you comply with the requirements above and are still experiencing issues; please review the list of potential issues below.

Most Common issues

  1. Missing Private Key or Client Certificate
  2. Missing or incorrect password
  3. The certificate does not meet the requirements above
  4. Incorrect format
  5. Some Radius Servers do not like spaces in the common name field and fail authentication.
  6. Certificates that have an empty "x509v3 Key Usage" field in the "x509v3 Extensions" section of the certificate. It should have entries like "Digital Signature" or "Key Encipherment" as the Key Usage field.