Sharing a client cert for EAP-TLS with many identical devices?
Hi all, not exactly an FR problem, but at least I hope not a trivial question: My institution is taking part in a program to test the use of 100+ WiFi Clients handed out to students for use during a lecture or even for online exams. So we have 140 iPads along with a "filling station" for easy bulk configuration. WiFi auth will be done with EAP-TLS against FR. Now my question: Do I definitely need 140 client certs to deploy them on the iPads or could I get along with one cert for # all? The only drawback I can see is that if one iPad gets lost, I have to renew the client cert on _all_ of them, which I could bear due to the easy bulk config. Anything else? THX in advance Martin -- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. Marburg Fax: +49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg
On May 7, 2015, at 9:41 AM, Martin Pauly <pauly@hrz.uni-marburg.de> wrote:
not exactly an FR problem, but at least I hope not a trivial question: My institution is taking part in a program to test the use of 100+ WiFi Clients handed out to students for use during a lecture or even for online exams. So we have 140 iPads along with a "filling station" for easy bulk configuration. WiFi auth will be done with EAP-TLS against FR. Now my question: Do I definitely need 140 client certs to deploy them on the iPads or could I get along with one cert for # all?
The point of client certs is that they are per-client. i.e. unique to each client.
The only drawback I can see is that if one iPad gets lost, I have to renew the client cert on _all_ of them, which I could bear due to the easy bulk config. Anything else?
Don't do hacks. Do it properly. Alan DeKok.
On 07/05/15 14:41, Martin Pauly wrote:
against FR. Now my question: Do I definitely need 140 client certs to deploy them on the iPads or could I get along with one cert for # all?
Obviously it's possible to do this. But it's a bad idea. Don't do it. The major effort involved in using client certs is actually deploying them to the devices, and using a single cert doesn't help you here. Actually generating certs is low cost, if you're using a private CA as you should be for this application.
participants (3)
-
Alan DeKok -
Martin Pauly -
Phil Mayers