self-signed root CA

Phil Mayers p.mayers at imperial.ac.uk
Thu Jan 26 12:16:15 CET 2012


On 01/26/2012 12:08 AM, McNutt, Justin M. wrote:
> So I'm getting some pushback in my organization against using a
> self-signed CA for signing my RADIUS server certs.  To make a long
> story short, I was asked to find out what other people were doing.

This has been discussed extensively on the list!

>
> For my own reasons, I'd like to know slightly more than that.  If you
> AREN'T using a self-signed CA for your RADIUS server, what made you
> use another CA, and what CA did you use?

We use a Verisign cert. We chose this because we decided the difficulty 
of deploying the certificate to unmanaged client desktop, laptop and 
mobile devices was excessive, given our client base.

I should emphasise that this is a 5 year old decision; at the time, the 
various open-source cert deployment tools (e.g. su1x) were unavailable, 
and there was (indeed, still is) an unwillingness to pay for a solution 
such as CloudPath.

I should also emphasise that, at the time, the client base included 
Windows Mobile 5 devices (on which it is practically impossible to 
install certs) as well as guest laptops (on which the hassle of 
installing a cert eats significantly into the time the guest is here).

Therefore, we opted for a public cert.

If we were starting from scratch, we'd probably use a private cert and 
su1x to deploy it.

There is zero appetite to change certs (and reconfigure ~10,000 clients).

>
> And just to be clear, is the concensus still that a self-signed CA is
> the way to go, assuming that you have a decent way to distribute the
> CA cert (which we do) to the clients who need to trust it?

Yes, very much so. Is is the safer and more secure default option.



More information about the Freeradius-Users mailing list