Help for buy a real Cert (not self-signed)

Wed Feb 1 14:03:50 CET 2017

Spider S wrote:

> I need buy a real cert, where I can buy ?? recommendations webs??

We're currently using a Godaddy cert, but now that we have stopped
supporting really old Windows which do not have the Entrust root pre-installed,
we may do that instead.  What you need to do is look at the root certificates
present in the OS store of the devices you are supporting, and find the
common denominator.

> And witch type ??  I see a lot of certs, and I don’t know the certification
> specification.( a lot of prices and options) Please a direct links if
> possible to correct cert.

Just a regular web certificate will work except for very old windows clients where a
special attribute is needed... it is sometimes hard to get CAs to issue this
attribute.

See: http://lists.freeradius.org/pipermail/freeradius-users/2006-October/013613.html

Also there may be some clients that are too dumb to figure out that OCSP
is not possible before they have an IP address, so some extended validation
attributes may cause issues if present.

> I never buy an original cert and I don’t know process. 

You generate a .csr, and using the CA's web interface you submit it.  This
CSR should not include your key and the CA should not ask for the key or
they are up to something sleezy.  Some CAs will send you back a code which
you need to post to a page on a web server under the same domain as the
cert is requested for, for them to verify you own that domain.

> Need a domain for this ?? can i use the cert from a Web (typical ssl cert
> that is used for web??

The hostname (CN) in the certificate is not used by FreeRADIUS for IP
lookup for any reason... the DNS entry need not even exist, but you do need
to provably own a domain.

> I see a lot of info on internet for use self-signed cert, but I can’t find
> info on documentations or on my Ubuntu install when use real certs. (Is
> very  possible I don’t find)

Using a CA cert is about the same as using a self-signed certificate.  The
only major difference on the server side is you have to include any intermediate
certificates concatenated onto the end of the cert file you tell FreeRADIUS to use,
in order starting with your server cert and then working towards the root, until
you have sent all certificates that all your client OSes do not already have
pre-installed.  You should not include the CA Root, it will do no good to.

On the client side, you should be aware that any supplicant (client) that is not
configured to specifically trust only the CN in your certificate and only the CA root
which it was issued from may be vulnerable to hijack, which can reveal AD
credentials (and if the CA itself gets compromised or is not trustworthy, this could
also compromise your security of course.)  It is for this reason that many prefer
EAP-TLS to EAP-PEAP-MSCHAPv2 or prefer to use and distribute their
own self-signed or in-house PKI certificates to clients.

Not all OSes allow you to put these restrictions in place.  In particular Android is
not very safe.  Some OSes (Apple) perform an automatic pinning of the
certificate on the first connect, so they are usually only vulnerable to hijack
on the first connect, or if your users will ignore security warnings.