On Jun 28, 2018, at 11:48 AM, d tbsky <tbskyd@gmail.com> wrote:
2. is xp extensions only useful if we want client to verify server certificate?
The extensions show the allowed uses of the server / client certificates.
3. if we use certificate like let's encrypt without xp extensions. what function do we miss?
Among other things, newer versions of OpenSSL will refuse to do client certificates if the server doesn't have the correct extensions.
I know it is not very secure to use public CA, but it seems easier when deal with mobile devices bring by users. they just want to access wifi with their active directory username/password.
That generally doesn't work. Some systems prompt the user to accept the certs. Others don't, and silently fail. Alan DeKok.