2018-06-29 0:10 GMT+08:00 Adam Bishop <Adam.Bishop@jisc.ac.uk>:
On 28 Jun 2018, at 16:48, d tbsky <tbskyd@gmail.com> wrote:
2. is xp extensions only useful if we want client to verify server certificate?
No, the Windows supplicant will flat out not work without the OIDs being present.
Hmmm. I tried to use let's encrypt certificate, and windows 7 seems to swallow it. BTW, how can we check if the certificate comes with xp extensions or not? I tried to use "openssl x509 -text -in my.crt", but can not find info about the extension.
3. if we use certificate like let's encrypt without xp extensions. what function do we miss? I know it is not very secure to use public CA, but it seems easier when deal with mobile devices bring by users. they just want to access wifi with their active directory username/password.
Don't do this - it's insecure if you allow users to use TOFU with a public CA, and has no advantage over a private CA from a UX perspective. Users will still be prompted to accept the certificate manually even if you obtain it from a public CA.
got it. thanks a lot for your explain!