Re: EAP-TLS: Same cert, multiple servers and locations?
Can I use a single common name (ie. myglobalsites) for the certificate set across my entire domain, and simply copy the entire set, (ca/pem/der/p12) from site to site? Does openssl and freeradius together use any hardware info (CPU serial, resolved ip addr, etc) that would cause a copied cert to crash? Same server cert across multiple servers is fine.
The client doesn't see anything about the server when it connects to an SSID apart from the certificate, so it has no idea which particular server the response came from. Unlike HTTPS etc there's no existing network connection and therefore no DNS, so it can't even check that the "hostname" it's connecting to is the same as the cert name returned.
Matthew
Matthew - many thanks, exactly the answer I was looking for! Ted.
Hi,
Can I use a single common name (ie. myglobalsites) for the certificate set across my entire domain, and simply copy the entire set, (ca/pem/der/p12) from site to site? Does openssl and freeradius together use any hardware info (CPU serial, resolved ip addr, etc) that would cause a copied cert to crash?
Note that instead of locking the CN of the server itself, you can lock on the issuer. Then you just have the different certs issued from your own private CA. One advantage of this is that you can keep the CA key safer offline and you don't have to reprovision the devices when you have to revoke or renew the cert on the servers. Cheers, Sylvain
??? You can do that when using the same server CN. On clients configure to trust your CA and the one CN of server. Multiple server CNs is what the original requester wanted to avoid - and wildcard CN entries can be problematic alan
Hi,
??? You can do that when using the same server CN. On clients configure to trust your CA and the one CN of server. Multiple server CNs is what the original requester wanted to avoid - and wildcard CN entries can be problematic
Multiple server CN is what the OP requested to avoid because he wanted to roam between sites with a single config and he includes the server CN in that config (at least that's my understanding). What I'm pointing out is that you can still achieve roaming with a single config even if your server don't have the same CN. Apple clients allow to lock on the cert issuer instead of the cert itself and so does wpa_supplicant. I can't speak for every EAP-TLS client of course, but this seems to be a pretty common option. Cheers, Sylvain
Yep. But if using same private CA you may as well just use the same server cert on each box too. Then they could be just cloned configs, controlled by puppet, pulled from git...whatever. alan
On 7 May 2016, at 17:09, Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
Yep. But if using same private CA you may as well just use the same server cert on each box too. Then they could be just cloned configs, controlled by puppet, pulled from git...whatever.
I guess the advantage of using different server certs, is you can do a rolling revocation if they all get compromised, and it'd help a little with debugging (you'd know which backend you were talking to). Really though it's personal preference :) -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
participants (4)
-
Alan Buxey -
Arran Cudbard-Bell -
Sylvain Munaut -
Ted Hyde