Hi Alan, When I read the file README it says below content: This directory contains scripts to create the server certificates. To make a set of default (i.e. test) certificates, simply type: $ ./bootstrap The "openssl" command will be run against the sample configuration files included here, and will make a self-signed certificate authority (i.e. root CA), and a server certificate. This "root CA" should be installed on any client machine needing to do EAP-TLS, PEAP, or EAP-TTLS. So can someone create a false certificate and key and create a session ? If we delete all these scripts also it is not possible to create any certificate and we get complete control of where it gets the certificates and keys ? Regards Simon On Thu, Nov 12, 2020 at 1:48 PM Alan DeKok <aland@deployingradius.com> wrote:
On Nov 12, 2020, at 2:44 PM, SIMON BABY <simonkbaby@gmail.com> wrote:
Thank you for replying to me. So if, I don't need to create certs and
keys
Can I delete all those files
If you're not using them, yes.
(To make them more secure by not creating any cert and key by someone who can hack).
That doesn't make sense. If you're not using them, it doesn't matter if someone else reads them. They don't mean anything, and they don't contain any useful information.
I have some static certs and key files.
You can *look* at those files to see what they are. There's a Makefile in raddb/certs which includes targets to print out the contents of the files. Or, you can use OpenSSL. These files aren't specific to FreeRADIUS. They're created with OpenSSL. So they can be read by OpenSSL.
If you look at the files, odds are that they will be for "example.com" or "example.org". Which are web sites *not* owned by you. So the certs are entirely meaningless. and leaking the contents of these files does nothing.
I am extremely wary of security theatre. If you want to delete files you don't use, that's one thing. But doing so does not make your systems any more secure.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html