There are tools to create a Certification Authority and processing certificates in OpenSLL installation. Below you can find the steps to create a CA, a Radius server certificate and an IP Phone certificate. If your IP phones have no real time clock, you can change your servers clock temporarly to 1970, which is satisfy most of the network equipments default configuration. You need to correct your server’s clock after creating the IP Phone certificate.

Before you start, you need to arrange the following files accordingly.

/System/Library/OpenSSL/misc/CA.pl

/System/Library/OpenSSL/misc/openssl.conf

Creating a new CA:

perl /System/Library/OpenSSL/misc/CA.pl –newca

Creating Radius server certificate:

openssl req -new -newkey rsa:1024 -days 22265 -keyout radius.privkey.pem -out radius.key.pem

openssl rsa -in radius.privkey.pem -out radius.privkey.pem

cat radius.privkey.pem >> radius.key.pem

openssl ca -extensions xpserver_ext -policy policy_anything -out radius.signedkey.pem -infiles radius.key.pem

cat radius.privkey.pem >> radius.signedkey.pem

rm radius.privkey.pem

rm radius.key.pem

Creating IP Phone client certificate:

openssl req -new -keyout newreq.pem -out newreq.pem -days 22265

openssl ca -extensions xpclient_ext -policy policy_anything -out newcert.pem -infiles newreq.pem

openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out ipphone.p12 –clcerts

After these steps CA public key cakey.pem, Radius server certificate radius.signedkey.pem and IP Phone certificate ipphone.p12 would be created. cakey.pem and ipphone.p12 certificates need to be uploaded to IP PBX system. radius.signedkey.pem certificate need to be uploaded to Radius server.