Look at the date of said online sources, and when they were last updated. If it's anything before last year, you can be guaranteed that they are out of date. FreeRADIUS makes *huge* strides in a year (and I know this because I first had exposure to FR 2.1.12 in 2013 and have found that the product has vastly improved since). Everyone I know uses the 'make' or 'bootstrap' commands in the /etc/raddb/certs directory... The makefile and the certificate configs (ca.cnf, server.cnf and client.cnf) have been regularly updated to the latest recommended configurations (amongst them using SHA1 as the hashing algorithm and 2048 bits as key length).
Actually... We all should be using SHA-256 and not SHA-1 for new installations. Microsoft, Google and Mozilla are now deprecating the use of SHA-1 based certificates: http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy. aspx http://googleonlinesecurity.blogspot.com /2014/09/gradually-sunsetting-sha-1.html https://wiki.mozilla.org/CA:Problematic_Practices#SHA-1_Certificates Also see: https://wiki.terena.org/display/H2eduroam/EAP+Server+Certificate+considerati... The SHA-1 hash algorithm is now on the verge of practically being broken (76/80 round collision already generated). See: https://marc-stevens.nl/research/ It is likely that the same approach that was taken for MD5 will soon be taken with SHA-1. We shouldn't be building up a technical debt by deploying new certificates with this algorithm. It will just cause pain down the line. Regards, Nick Lowe