purpose of xp extensions

d tbsky tbskyd at gmail.com
Fri Jun 29 10:08:20 CEST 2018

2018-06-29 0:10 GMT+08:00 Adam Bishop <Adam.Bishop at jisc.ac.uk>:
> On 28 Jun 2018, at 16:48, d tbsky <tbskyd at gmail.com> wrote:
>> 2. is xp extensions only useful if we want client to verify server certificate?
> No, the Windows supplicant will flat out not work without the OIDs being present.

Hmmm. I tried to use let's encrypt certificate, and windows 7 seems to
swallow it.
BTW, how can we check if the certificate comes with xp extensions or not?
I tried to use "openssl x509 -text -in my.crt", but can not find info
about the extension.

>> 3. if we use certificate like let's encrypt without xp extensions.
>> what function do we miss? I know it is not very secure to use public
>> CA, but it seems easier when deal with mobile devices bring by users.
>> they just want to access wifi with their active directory
>> username/password.
> Don't do this - it's insecure if you allow users to use TOFU with a public CA, and has no advantage over a private CA from a UX perspective. Users will still be prompted to accept the certificate manually even if you obtain it from a public CA.

got it. thanks a lot for your explain!

More information about the Freeradius-Users mailing list