@Eatsshootsandleaves said in Setting up a MS 2019 PKI for secure Wifi access - will this break anything in domain??:

Newbie to Certificate Services and while everything in our domain fine I need to refresh our Wifi setup to be more secure and using certs with EAP-TLS seems to be the best way to go.
Introducing a PKI into our domain is there any chance this may break existing functionality - I only want this PKI for Wifi nothing else. Thanks guys

No, you can bring up a PKI such as AD CS without any impact to existing infrastructure.

Once you distribute certificates, and require them for WiFi connection as in your example, only then will it have an obvious impact.

Of course there are many variables at play, but generally speaking, without any major or crazy numbers in any aspect, it won't mess with anything simply by creating a PKI.

Just make sure to use proper planning in every aspect. It's a PITA to revoke, remove, and redistribute certs because you didn't plan for something and need to make a change.

@JaredBusch said in OpenSSL CSR with Subject Alternative Name:

@EddieJennings said in OpenSSL CSR with Subject Alternative Name:

@JaredBusch Correct. The "ye olde way" is how I've typically made a CSR and private key. The link I included talks about making a configuration file, which allows you to include SAN in your CSR.

Ah, did not read the link. Yes, using a config file is the only method to get any SAN on a cert with OpenSSL.

And after re-reading my post, I realized how terrible it was :(. I was hoping to find a one liner kind of thing, but alas. That particular article made it clear how to do it.

If this is CentOS you need to either turn off SELinux (probably best here) or reset the permissions again.