Question: which 3rd party CA for EAP

Stefan Winter stefan.winter at
Mon Apr 30 13:15:12 CEST 2012


> We are trying to setup eap for different mobile devices. We don't need
> certificates for each user, we want to authorize againt the radius with
> username and password only.
> With self signed certificates its working if the mobile devices installs
> the root ca certifcate.
> We tried several 3rd party certificates: StartSSL, united ssl, godaddy,
> test certificates from thawte.
> Apple and windows clients are claiming, that the certificate is not
> trusted.
> Has anybody a working solution with 3rd party certificates and can tell
> us which certifcate could be used and what needs to be configured in
> eap.conf?

You should be aware that the "trusted" status of a CA is completely
independent in bowsers vs. for EAP.

Browsers have a (large|too large) set of CAs which they consider trusted.

EAP supplicants typically trust NO CA unless explicitly configured to.

In the Windows case, the supplicant will trust the 3rd party certs just
fine as soon as you open the EAP properties and check the box of that CA.

So, very often you will require extra manual/scripted configuration
whether you use a self-signed CA or not; merely the actual import of the
certificate file can be omitted if the CA is shipped.

I.e. you don't gain a lot, and spend more money when using a "trusted"
CA, so in the vast majority of cases, it is the wiser way to use a
self-signed CA.


Stefan Winter

> Kind Regards
> Uwe
> -
> List info/subscribe/unsubscribe? See

Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Freeradius-Users mailing list