Hi: for many years I just follow the document: create certificate with xp extensions and use group policy to deploy the CA. I never really understand what is. now I have several stupid questions: 1. is the "xp" extensions means windows xp or something? 2. is xp extensions only useful if we want client to verify server certificate? 3. if we use certificate like let's encrypt without xp extensions. what function do we miss? I know it is not very secure to use public CA, but it seems easier when deal with mobile devices bring by users. they just want to access wifi with their active directory username/password. thanks a lot for help!!
On 28 Jun 2018, at 16:48, d tbsky <tbskyd@gmail.com> wrote:
1. is the "xp" extensions means windows xp or something?
They were introduced with Windows XP.
2. is xp extensions only useful if we want client to verify server certificate?
No, the Windows supplicant will flat out not work without the OIDs being present.
3. if we use certificate like let's encrypt without xp extensions. what function do we miss? I know it is not very secure to use public CA, but it seems easier when deal with mobile devices bring by users. they just want to access wifi with their active directory username/password.
Don't do this - it's insecure if you allow users to use TOFU with a public CA, and has no advantage over a private CA from a UX perspective. Users will still be prompted to accept the certificate manually even if you obtain it from a public CA. Adam Bishop gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460 jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
2018-06-29 0:10 GMT+08:00 Adam Bishop <Adam.Bishop@jisc.ac.uk>:
On 28 Jun 2018, at 16:48, d tbsky <tbskyd@gmail.com> wrote:
2. is xp extensions only useful if we want client to verify server certificate?
No, the Windows supplicant will flat out not work without the OIDs being present.
Hmmm. I tried to use let's encrypt certificate, and windows 7 seems to swallow it. BTW, how can we check if the certificate comes with xp extensions or not? I tried to use "openssl x509 -text -in my.crt", but can not find info about the extension.
3. if we use certificate like let's encrypt without xp extensions. what function do we miss? I know it is not very secure to use public CA, but it seems easier when deal with mobile devices bring by users. they just want to access wifi with their active directory username/password.
Don't do this - it's insecure if you allow users to use TOFU with a public CA, and has no advantage over a private CA from a UX perspective. Users will still be prompted to accept the certificate manually even if you obtain it from a public CA.
got it. thanks a lot for your explain!
On Fri, 2018-06-29 at 16:08 +0800, d tbsky wrote:
Hmmm. I tried to use let's encrypt certificate, and windows 7 seems to swallow it.
Let's Encrypt certs include the TLS Web Server Auth EKU, as do all commercial certs used for web servers.
BTW, how can we check if the certificate comes with xp extensions or not? I tried to use "openssl x509 -text -in my.crt", but can not find info about the extension.
in X509v3 extensions: look for X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication -- Matthew
2018-06-29 18:51 GMT+08:00 Matthew Newton <mcn@freeradius.org>:
On Fri, 2018-06-29 at 16:08 +0800, d tbsky wrote:
Hmmm. I tried to use let's encrypt certificate, and windows 7 seems to swallow it.
Let's Encrypt certs include the TLS Web Server Auth EKU, as do all commercial certs used for web servers.
BTW, how can we check if the certificate comes with xp extensions or not? I tried to use "openssl x509 -text -in my.crt", but can not find info about the extension.
in
X509v3 extensions:
look for
X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication
thanks for the hint. but many certificates all have these kind of info. that's really confuse me.
On Jun 28, 2018, at 11:48 AM, d tbsky <tbskyd@gmail.com> wrote:
2. is xp extensions only useful if we want client to verify server certificate?
The extensions show the allowed uses of the server / client certificates.
3. if we use certificate like let's encrypt without xp extensions. what function do we miss?
Among other things, newer versions of OpenSSL will refuse to do client certificates if the server doesn't have the correct extensions.
I know it is not very secure to use public CA, but it seems easier when deal with mobile devices bring by users. they just want to access wifi with their active directory username/password.
That generally doesn't work. Some systems prompt the user to accept the certs. Others don't, and silently fail. Alan DeKok.
2018-06-29 0:19 GMT+08:00 Alan DeKok <aland@deployingradius.com>:
On Jun 28, 2018, at 11:48 AM, d tbsky <tbskyd@gmail.com> wrote:
I know it is not very secure to use public CA, but it seems easier when deal with mobile devices bring by users. they just want to access wifi with their active directory username/password.
That generally doesn't work. Some systems prompt the user to accept the certs. Others don't, and silently fail.
Hi: thanks a lot for the hint. now I understand public CA doesn't make things easier..
participants (4)
-
Adam Bishop -
Alan DeKok -
d tbsky -
Matthew Newton