- \n
- PowerShell 7.x.x (PowerShell 7<\/a> )<\/li>\n\n\n\n
- JumpCloud PowerShell Module<\/a><\/li>\n\n\n\n
- Before using these scripts, admins need to perform a one-time-only OpenSSL 3.x.x download and setup.\n
- \n
- This process can be found in the appendix of the RADIUS-CBA tools for BYO Certificates Whitepaper (PDF attachment; see files section on right).<\/li>\n\n\n\n
- See macOS\/ Windows Requirements below<\/li>\n\n\n\n
- This process is not compatible on Linux<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Certificate Authority (CA) – either from a vendor or self-generated<\/li>\n<\/ul>\n\n\n\n
System Requirements<\/h2>\n\n\n\n
macOS Requirements<\/h3>\n\n\n\n
macOS ships with a version of OpenSSL titled LibreSSL. LibreSSL is sufficient to generate the
usernameCN<\/code><\/kbd> andemailDN <\/code><\/kbd>type certificates but not the emailSAN<\/kbd> type certificate (due to the inclusion of x509 subject headers in the certificate body).
Because of this, a distribution of OpenSSL 3.x.x is required to run these scripts. While running the application, you’ll be prompted to locate Openssl 3.x.x if it is not found.<\/p>\n\n\n\n- \n
- To install the latest version of OpenSSL on mac, install the Homebrew package manager<\/a> and install the following formulae.<\/a><\/li>\n<\/ul>\n\n\n\n
Some packages or applications in macOS rely on the pre-configured LibreSSL distribution. To use the Homebrew distribution of OpenSSL in this project, simply change the $openSSLBinary variable to point to the Homebrew bin location ex:<\/p>\n\n\n\n
- \n
- In Config.ps1 change $opensslBinary to point to
\/usr\/local\/Cellar\/openssl@3\/3.0.7\/bin\/openssl<\/code><\/li>\n\n\n\n- ex:
$opensslBinary = \/usr\/local\/Cellar\/openssl@3\/3.0.7\/bin\/openssl<\/code><\/li>\n<\/ul>\n\n\n\nWindows Requirements<\/h3>\n\n\n\n
Windows does not typically ship with a preconfigured version of OpenSSL but a pre-compiled version of OpenSSL can be installed from Shining Light Productions<\/a>. These automations have been tested with the full installer (not the Light) version of the tool. OpenSSL can also be downloaded and configured from source<\/a> if desired.
If the pre-compiled version of OpenSSL was installed, the OpenSSL should be installed in <\/kbd>C:\\Program Files\\OpenSSL-Win64\\bin\\<\/code>. There should exist anopenssl.exe<\/code> binary in that directory. In addition, there should also exist alegacy.dll<\/code> file in that same directory which is required if generating$emailSAN<\/code> user certificates.
To set the required system environment variables for this automation:<\/p>\n\n\n\n- \n
- Open Control Panel<\/li>\n\n\n\n
- Select Edit the system environment variables<\/strong><\/li>\n\n\n\n
- Under the System Properties<\/strong> window and Advanced<\/strong> tab, select the Environment Variables…<\/strong> box.<\/li>\n\n\n\n
- Under the User Variables for yourAccount <\/strong>click the New…<\/strong> box\n
- \n
- Set the Variable Name to:
OPENSSL_MODULES<\/code><\/li>\n\n\n\n- Set the Variable Value to:
C:\\Program Files\\OpenSSL-Win64\\bin<\/code> or the location of thelegacy.dll<\/code> file included in your OpenSSL distribution<\/li>\n\n\n\n- Click OK.<\/strong><\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Under the System variables<\/strong> section scroll down to the Path<\/strong> variable, select it and click Edit…<\/strong>\n
- \n
- Add a new line entry for this variable and type
C:\\ProgramFiles\\OpenSSL-Win64\\bin<\/code> or the location of theopenssl.exe<\/code> file included in your OpenSSL distribution.<\/li>\n\n\n\n- Click OK<\/strong>.<\/li>\n\n\n\n
- Click OK<\/strong> to close and save the Environment Variables dialog box.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Click OK<\/strong> to close and save the System Properties dialog box.<\/li>\n<\/ul>\n\n\n\n
The
openssl<\/code> command should be available in new PowerShell terminal windows.<\/p>\n\n\n\nConfigure EAP-TLS for RADIUS <\/h2>\n\n\n\n
Run the ‘Start-RadiusDeployment’ script<\/h3>\n\n\n\n
The set of automations described in this document are invoked by the menu-based powershell automation script `Start-RadiusDeployment`. This automation script provides a text based user interface for generating a CA, generating user certificates, distributing user certificates (via JumpCloud Commands) and monitoring the deployment status.
Before running the `Start-RadiusDeployment` automation script, the variables within the configuration file `config.ps1` must first be updated.<\/p>\n\n\n\n![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/important-icon.png\")
<\/p><\/div>Important:<\/strong> \nBefore running the `Start-RadiusDeployment` automation script, the variables within the configuration file `config.ps1` must first be updated.<\/span><\/p>\n\n\n\n
Link: PowerShell Automation scripts for RADIUS Certificate Generation<\/a><\/p>\n\n\n\n
View PowerShell Automation scripts release notes<\/a>.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
Edit the RADIUS Configuration file<\/h3>\n\n\n\n
- \n
- Open the config.ps1 file with a text editor.<\/li>\n\n\n\n
- Set your API Key ID: change the variable
$JCAPIKEY<\/code> to an API Key from an administrator in your JumpCloud org.\n- \n
- An administrator read-write API Key with at least a Manager role is required to use this toolset. See the Admin Portal Roles<\/a> kb.<\/li>\n\n\n\n
- For more information on obtaining an API Key, see JumpCloud APIs<\/a>.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Set your Organization ID: Change the variable
$JCORGID<\/code> to the organization ID value<\/a> from your JumpCloud org.<\/li>\n\n\n\n- Set your User Group ID: Change the variable
$JCUSERGROUP<\/code> to the ID of the JumpCloud user group with access to the Radius server.\n- \n
- The User Group ID is available on the JumpCloud Admin Console. Go to USER MANAGEMENT<\/strong> > User Groups<\/strong>, select the appropriate User Group, and view the url.\n
- \n
- The url will look similar to this:
https:\/\/console.jumpcloud.com\/#\/groups\/user\/5f808a1bb544064831f7c9fb\/details<\/code><\/li>\n\n\n\n- The ID of the User Group is the 24 character string between \/user\/<\/kbd> and \/details:
5f808a1bb544064831f7c9fb<\/code>.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n- Set your network SSID Name.\n
- \n
- Change the variable
$NETWORKSSID<\/code> to the name of the SSID network your clients will connect to.\n- \n
- On macOS hosts, the user certificate will be set to automatically authenticate to this SSID when the end user selects the WiFi Network.<\/li>\n\n\n\n
- Multiple SSIDs can be provided as a single string; separate SSID names with a space.
<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\")
<\/p><\/div>Note:<\/strong> \nThe SSID and user certificate are only associated with macOS system generated commands. This parameter does not affect Windows generated commands<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- Set the open SSL Binary Location.\n
- \n
- This variable can point to a path or call the binary with the name openssl.\n
- \n
- For macOS systems<\/a>, this will likely need to be set to the openSSL binary installation path like
‘\/opt\/homebrew\/opt\/openssl@3\/bin\/openssl<\/code>‘ or ‘\/usr\/local\/Cellar\/openssl@3\/3.0.7\/bin\/openssl<\/code>‘<\/li>\n\n\n\n- For Windows, installing OpenSSL and setting an environment variable described in Windows Requirements<\/a> should be sufficient (no additional changes to
$opensslBinary<\/code> necessary)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n- Set your certificate subject headers: change the default values provided in the $Subj variable to Country, State, Locality, Organization, Organization Unit and Common Name values for your organization.<\/li>\n\n\n\n
- Set desired user certificate type: Change the
$certType<\/code> variable to eitherEmailSAN<\/code>,EmailDN<\/code>, orUsernameCn<\/code>.\n- \n
- JumpCloud RADIUS supports three types of user certificates:\n
- \n
- JumpCloud user email in the subject alternative name (
EmailSAN<\/code>)<\/li>\n\n\n\n- JumpCloud user email in the subject distinguished name (
EmailDN<\/code>)<\/li>\n\n\n\n- JumpCloud username in the common name (
UsernameCn<\/code>)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\nGenerate or Import a Certificate Authority<\/h3>\n\n\n\n
A Certificate Authority (CA) is required for passwordless Radius Authentication. The
radius_ca_cert.pem<\/code> file is to be uploaded to JumpCloud to serve as the Certificate Authority for subsequently generated user certificates. This CA can be imported or generated.The entire certificate generation process is managed through a PowerShell menu based script. To run the main program, open a PowerShell 7 terminal session and run:Start-RadiusDeployment.ps1<\/code>, which will present the following menu:![\"\"](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/04\/radius-cert-deployment-main-menu.png\")
<\/p>\n\n\n\nTo generate a self-signed certificate, use the first option in the menu.<\/p>\n\n\n\n
- \n
- The resulting file,
radius_ca_cert.pem<\/code>, will live in theprojectDirectory\/Radius\/Cert directory<\/code>.\n- \n
- A password will be required to protect the CA from unauthorized access. During the session this password will be stored as an environment variable as it is also required to generate user certificates.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
To import your own CA, the certificate and key files can be copied to the
projectDirectory\/Radius\/Cert directory<\/code>. <\/p>\n\n\n\n<\/p><\/div>Note:<\/strong> \nPlease ensure the certificate and key name ends with
key.pem<\/code> andcert.pem<\/code> (ex.radius_ca_cert.pem<\/code> orradius_ca_key.pem<\/code>)<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\nIn order to import a certificate from a .pfx file, the certificate and key needs to be extracted from .pfx file.<\/p>\n\n\n\n
- \n
- Extract the private key:
openssl pkcs12 -in certfile.pfx -nocerts -out \/projectDirectory\/Radius\/Cert\/radius_ca_key.pem<\/code>\n- \n
- Replace
certfile.pfx<\/code> to the file path of your .pfx file. Make sure theradius_ca_key.pem<\/code> is saved or moved to\/projectDirectory\/Radius\/Cert\/<\/code> directory<\/li>\n\n\n\n- This command will prompt for the .pfx password. <\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/warning-icon.png\")
<\/p><\/div>Warning:<\/strong> \nPlease DO NOT FORGET the password as you will need it when generating user certificates.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- Extract the certificate:
openssl pkcs12 -in certfile.pfx -nokeys -out \/projectDirectory\/Radius\/Cert\/radius_ca_cert.pem<\/code>\n- \n
- Replace
certfile.pfx<\/code> to the file path of your .pfx file. Make sure theradius_ca_cert.pem<\/code> is saved or moved to\/projectDirectory\/Radius\/Cert\/ directory<\/code>.<\/li>\n\n\n\n- Again, this command will prompt for the .pfx password.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
<\/p><\/div>Note:<\/strong> \nA password will be required to protect the CA from unauthorized access. During the session this password will be stored as an environment variable as it is also required to generate user certificates.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
After successful import or generation of a self-signed CA, the serial number and expiration date will be displayed on the main menu:
![\"\"](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/04\/radius-cert-deploy-root-CA.png\")
<\/p>\n\n\n\nGenerate User Certificates<\/strong><\/h3>\n\n\n\n
After the CA has been generated or imported, individual user certificates can be generated.<\/p>\n\n\n\n
- \n
- The ID of the user group stored as the variable:
$JCUSERGROUP<\/code> is used to store JumpCloud users destined for passwordless Radius access.<\/li>\n\n\n\n- For each user in the group, a
.pfx<\/code> certificate will be generated in the\/projectDirectory\/Radius\/UserCerts\/ directory<\/code>. <\/li>\n\n\n\n- The user certificates are stored locally and monitored for expiration.<\/li>\n\n\n\n
- If local user certificates are set to expire within 15 days, a notification is displayed on the main menu.<\/li>\n\n\n\n
- User certificates can be manually removed from the <\/kbd>
\/projectDirectory\/Radius\/UserCerts\/<\/code> <\/kbd>directory at any time, and regenerated using option 2 from the main menu. User certificates can be continuously re-applied to devices using option 3 to distribute user certificates.<\/li>\n<\/ul>\n\n\n\nDistribute User Certificates<\/h3>\n\n\n\n
Option 3 in the main menu will enable admins to distribute user certificates to end user devices. <\/p>\n\n\n\n
- \n
- Commands will be generated in your JumpCloud Tenant for each user in the Radius User Group and their corresponding system associations. <\/li>\n\n\n\n
- This script will prompt you to kick off the generated commands. If the commands are invoked, they should be queued for all users in the Radius User Group.\n
- \n
- These commands are queued with a TTL timeout of 10 days \u2014 meaning that if the end user device is offline when the command is queued, the command will sit in the JumpCLoud console for 10 days and wait for the device to come online before attempting to run.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- On the device, certificates are replaced if a command is sent to a device with a newer certificate.<\/li>\n<\/ul>\n\n\n\n
EXAMPLE
![\"\"](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/04\/radius-network-cert-distribution.png\")
<\/p>\n\n\n\nIn this example, users Bob and Ali were connected to a radius network with their individual certificates. Newly generated certificates are issued to Bob and Ali via generated JumpCloud Commands. Bob’s new user certificate with serial number XYZ1<\/kbd> would be installed and the older certificate with serial number ABC1<\/kbd> would be removed from the device. Ali’s user certificate with serial number HIJ2<\/kbd> would be installed and the older certificate with serial number EFG1<\/kbd> would be removed from the device.
Replacement of user certificates can occur while a device is actively connected to the radius network protected by passwordless certificate based authentication due to the fact that authentication is session based. If Bob authenticated to the radius network with cert serial number ABC1<\/kbd> the network session between Bob and the radius network is instantiated. During that session, the certificate ABC1<\/kbd> can be replaced with certificate XYZ2<\/kbd> from Bob’s computer without network interruption. Upon next authentication, the system should default to using the new certificate.
The generated JumpCloud commands for Bob will only remove certificate ABC1<\/kbd> if XYZ2<\/kbd> is installed successfully.<\/p>\n\n\n\nMonitor Certificate Deployment Status<\/h3>\n\n\n\n
After certificates have been distributed, you can view overall progress of the deployment through option 4 on the main menu.<\/p>\n\n\n\n
- \n
- This automation will query the deployment status of each generated command and display a table of the command status.\n
- \n
- If a command is no longer queued (either through cancellation or the TTL timeout of 10 days exceeded) or if the command failed (either through some standard error or end user not being logged in (exit code 4)) these commands can be reissued using the menu options.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- After issuing commands to devices, the list of commands issued to devices can be viewed.<\/li>\n\n\n\n
- Individual failed commands can be explored with option 2 from the certificate deployment menu.
![\"\"](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/04\/radius-cert-deply-failed-commands.png\")
<\/li>\n<\/ul>\n\n\n\n- \n
- Option 3 can be used to retry a failed command.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
Overview This article covers how to use the PowerShell Automation scripts to generate and deploy certificates for use with passwordless […]<\/p>\n","protected":false},"author":204,"featured_media":0,"template":"","meta":{"_acf_changed":false,"_oasis_is_in_workflow":0,"_oasis_original":0,"_oasis_task_priority":"","inline_featured_image":false,"footnotes":""},"support_category":[2845,2897],"support_tag":[],"coauthors":[2838],"acf":[],"yoast_head":"\n
Configure EAP-TLS for RADIUS using Certificate Example Scripts - JumpCloud<\/title>\n<meta name=\"description\" content=\"Discover the powershell scripts which replace the self-signed Certificate creation OpenSSL process.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/jumpcloud.com\/support\/radius-certificate-example-scripts\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Configure EAP-TLS for RADIUS using Certificate Example Scripts\" \/>\n<meta property=\"og:description\" content=\"Discover the powershell scripts which replace the self-signed Certificate creation OpenSSL process.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/jumpcloud.com\/support\/radius-certificate-example-scripts\" \/>\n<meta property=\"og:site_name\" content=\"JumpCloud\" \/>\n<meta property=\"article:modified_time\" content=\"2024-07-03T17:04:54+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/04\/radius-cert-deployment-main-menu.png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"10 minutes\" \/>\n\t<meta name=\"twitter:label2\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data2\" content=\"jenniferklein\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/jumpcloud.com\/support\/radius-certificate-example-scripts\",\"url\":\"https:\/\/jumpcloud.com\/support\/radius-certificate-example-scripts\",\"name\":\"Configure EAP-TLS for RADIUS using Certificate Example Scripts - JumpCloud\",\"isPartOf\":{\"@id\":\"https:\/\/jumpcloud.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/jumpcloud.com\/support\/radius-certificate-example-scripts#primaryimage\"},\"image\":{\"@id\":\"https:\/\/jumpcloud.com\/support\/radius-certificate-example-scripts#primaryimage\"},\"thumbnailUrl\":\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/04\/radius-cert-deployment-main-menu.png\",\"datePublished\":\"2023-06-05T17:11:59+00:00\",\"dateModified\":\"2024-07-03T17:04:54+00:00\",\"description\":\"Discover the powershell scripts which replace the self-signed Certificate creation OpenSSL process.\",\"breadcrumb\":{\"@id\":\"https:\/\/jumpcloud.com\/support\/radius-certificate-example-scripts#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/jumpcloud.com\/support\/radius-certificate-example-scripts\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jumpcloud.com\/support\/radius-certificate-example-scripts#primaryimage\",\"url\":\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/04\/radius-cert-deployment-main-menu.png\",\"contentUrl\":\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/04\/radius-cert-deployment-main-menu.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/jumpcloud.com\/support\/radius-certificate-example-scripts#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/jumpcloud.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Support\",\"item\":\"https:\/\/jumpcloud.com\/support\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Configure EAP-TLS for RADIUS using Certificate Example Scripts\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/jumpcloud.com\/#website\",\"url\":\"https:\/\/jumpcloud.com\/\",\"name\":\"JumpCloud\",\"description\":\"Daily insights on directory services, IAM, LDAP, identity security, SSO, system management (Mac, Windows, Linux), networking, and the cloud.\",\"publisher\":{\"@id\":\"https:\/\/jumpcloud.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/jumpcloud.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/jumpcloud.com\/#organization\",\"name\":\"JumpCloud\",\"url\":\"https:\/\/jumpcloud.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png\",\"contentUrl\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png\",\"width\":598,\"height\":101,\"caption\":\"JumpCloud\"},\"image\":{\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Configure EAP-TLS for RADIUS using Certificate Example Scripts - JumpCloud","description":"Discover the powershell scripts which replace the self-signed Certificate creation OpenSSL process.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/jumpcloud.com\/support\/radius-certificate-example-scripts","og_locale":"en_US","og_type":"article","og_title":"Configure EAP-TLS for RADIUS using Certificate Example Scripts","og_description":"Discover the powershell scripts which replace the self-signed Certificate creation OpenSSL process.","og_url":"https:\/\/jumpcloud.com\/support\/radius-certificate-example-scripts","og_site_name":"JumpCloud","article_modified_time":"2024-07-03T17:04:54+00:00","og_image":[{"url":"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/04\/radius-cert-deployment-main-menu.png"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"10 minutes","Written by":"jenniferklein"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/jumpcloud.com\/support\/radius-certificate-example-scripts","url":"https:\/\/jumpcloud.com\/support\/radius-certificate-example-scripts","name":"Configure EAP-TLS for RADIUS using Certificate Example Scripts - JumpCloud","isPartOf":{"@id":"https:\/\/jumpcloud.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/jumpcloud.com\/support\/radius-certificate-example-scripts#primaryimage"},"image":{"@id":"https:\/\/jumpcloud.com\/support\/radius-certificate-example-scripts#primaryimage"},"thumbnailUrl":"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/04\/radius-cert-deployment-main-menu.png","datePublished":"2023-06-05T17:11:59+00:00","dateModified":"2024-07-03T17:04:54+00:00","description":"Discover the powershell scripts which replace the self-signed Certificate creation OpenSSL process.","breadcrumb":{"@id":"https:\/\/jumpcloud.com\/support\/radius-certificate-example-scripts#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/jumpcloud.com\/support\/radius-certificate-example-scripts"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jumpcloud.com\/support\/radius-certificate-example-scripts#primaryimage","url":"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/04\/radius-cert-deployment-main-menu.png","contentUrl":"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/04\/radius-cert-deployment-main-menu.png"},{"@type":"BreadcrumbList","@id":"https:\/\/jumpcloud.com\/support\/radius-certificate-example-scripts#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/jumpcloud.com\/"},{"@type":"ListItem","position":2,"name":"Support","item":"https:\/\/jumpcloud.com\/support"},{"@type":"ListItem","position":3,"name":"Configure EAP-TLS for RADIUS using Certificate Example Scripts"}]},{"@type":"WebSite","@id":"https:\/\/jumpcloud.com\/#website","url":"https:\/\/jumpcloud.com\/","name":"JumpCloud","description":"Daily insights on directory services, IAM, LDAP, identity security, SSO, system management (Mac, Windows, Linux), networking, and the cloud.","publisher":{"@id":"https:\/\/jumpcloud.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/jumpcloud.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/jumpcloud.com\/#organization","name":"JumpCloud","url":"https:\/\/jumpcloud.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/","url":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png","contentUrl":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png","width":598,"height":101,"caption":"JumpCloud"},"image":{"@id":"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support\/78825"}],"collection":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support"}],"about":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/types\/support"}],"author":[{"embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/users\/204"}],"version-history":[{"count":2,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support\/78825\/revisions"}],"predecessor-version":[{"id":112498,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support\/78825\/revisions\/112498"}],"wp:attachment":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/media?parent=78825"}],"wp:term":[{"taxonomy":"support_category","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support_category?post=78825"},{"taxonomy":"support_tag","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support_tag?post=78825"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/coauthors?post=78825"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- Option 3 can be used to retry a failed command.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
- This automation will query the deployment status of each generated command and display a table of the command status.\n
- For each user in the group, a
- Again, this command will prompt for the .pfx password.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
- Replace
- This command will prompt for the .pfx password. <\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
- Replace
- Extract the private key:
- A password will be required to protect the CA from unauthorized access. During the session this password will be stored as an environment variable as it is also required to generate user certificates.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
- JumpCloud user email in the subject distinguished name (
- JumpCloud user email in the subject alternative name (
- For Windows, installing OpenSSL and setting an environment variable described in Windows Requirements<\/a> should be sufficient (no additional changes to
- For macOS systems<\/a>, this will likely need to be set to the openSSL binary installation path like
- This variable can point to a path or call the binary with the name openssl.\n
- Set the open SSL Binary Location.\n
- The ID of the User Group is the 24 character string between \/user\/<\/kbd> and \/details:
- The url will look similar to this:
- For more information on obtaining an API Key, see JumpCloud APIs<\/a>.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- An administrator read-write API Key with at least a Manager role is required to use this toolset. See the Admin Portal Roles<\/a> kb.<\/li>\n\n\n\n
- Click OK<\/strong>.<\/li>\n\n\n\n
- Set the Variable Value to:
- Under the System Properties<\/strong> window and Advanced<\/strong> tab, select the Environment Variables…<\/strong> box.<\/li>\n\n\n\n
- ex:
- In Config.ps1 change $opensslBinary to point to
- To install the latest version of OpenSSL on mac, install the Homebrew package manager<\/a> and install the following formulae.<\/a><\/li>\n<\/ul>\n\n\n\n
- JumpCloud PowerShell Module<\/a><\/li>\n\n\n\n