self-signed root CA

McNutt, Justin M. McNuttJ at missouri.edu
Mon Jan 30 20:49:17 CET 2012


This is basically what we've decided.  Assuming there are no more issues with management, we're going to set up a separate CA for RADIUS that only signs the server certs for the RADIUS servers.

Thanks to all for the replies.  Very useful!

--J

From: Christ Schlacta <lists at aarcane.org<mailto:lists at aarcane.org>>
Reply-To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org<mailto:freeradius-users at lists.freeradius.org>>
Date: Thu, 26 Jan 2012 16:25:33 -0800
To: <freeradius-users at lists.freeradius.org<mailto:freeradius-users at lists.freeradius.org>>
Subject: Re: self-signed root CA

Self-signed provides stronger security in most cases.  I'm using
self-signed here, and distributing a certificate to unmanaged user
devices is as easy as placing a p12 file on a USB drive and requiring
users to stop by ops before getting on wireless.  If you're using a
public CA to sign certs, and you're not using TLS authentication (I'm
guessing you're not.  getting that many certs would be expensive), then
anyone can impersonate your network and intercept perceivably protected
traffic.  this is BAD.  Insofar as I know, nearly everyone on this list
using certs is using self-signed.

On 1/25/2012 16:08, McNutt, Justin M. wrote:
So I'm getting some pushback in my organization against using a self-signed CA for signing my RADIUS server certs.  To make a long story short, I was asked to find out what other people were doing.

For my own reasons, I'd like to know slightly more than that.  If you AREN'T using a self-signed CA for your RADIUS server, what made you use another CA, and what CA did you use?

And just to be clear, is the concensus still that a self-signed CA is the way to go, assuming that you have a decent way to distribute the CA cert (which we do) to the clients who need to trust it?

I've read /etc/raddb/certs/README and I've done some Googling and everything I find pretty much assumes that you're using a self-signed CA.  The README explains briefly why, but my management wants more assurance than that, so here I am.

Looking forward to your responses, and thanks in advance.

--J

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





More information about the Freeradius-Users mailing list