self-signed root CA

[Christ Schlacta]

Self-signed provides stronger security in most cases.  I'm using 
self-signed here, and distributing a certificate to unmanaged user 
devices is as easy as placing a p12 file on a USB drive and requiring 
users to stop by ops before getting on wireless.  If you're using a 
public CA to sign certs, and you're not using TLS authentication (I'm 
guessing you're not.  getting that many certs would be expensive), then 
anyone can impersonate your network and intercept perceivably protected 
traffic.  this is BAD.  Insofar as I know, nearly everyone on this list 
using certs is using self-signed.

On 1/25/2012 16:08, McNutt, Justin M. wrote:
> So I'm getting some pushback in my organization against using a self-signed CA for signing my RADIUS server certs.  To make a long story short, I was asked to find out what other people were doing.
>
> For my own reasons, I'd like to know slightly more than that.  If you AREN'T using a self-signed CA for your RADIUS server, what made you use another CA, and what CA did you use?
>
> And just to be clear, is the concensus still that a self-signed CA is the way to go, assuming that you have a decent way to distribute the CA cert (which we do) to the clients who need to trust it?
>
> I've read /etc/raddb/certs/README and I've done some Googling and everything I find pretty much assumes that you're using a self-signed CA.  The README explains briefly why, but my management wants more assurance than that, so here I am.
>
> Looking forward to your responses, and thanks in advance.
>
> --J
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html