OT, but relevant: Managing Certs
i am starting to read up on implementing .1x, and want some feedback on how others are managing certs. my questions are not specific to freeradius, but being that many of the .1x auth methods use certificates, i am hoping to find a pool of folks that manage certificates, pki and / or ca's, to enlighten me. i have an openvpn instance that leverages certs. i will adding certs to openldap for client connections over tls, and certs for replication between masters. then there is www and proxy. even dns can get in the certificate game. with all of these services leveraging certificates, how do folks avoid "cross pollination"? i dont want an openvpn client certificate used to authenticate a .1x session, for example. i dont want my ldap replication to be subject to interception by a client that has a cert signed by the same ca, thereby allowing unintended access or the ability to decrypt the traffic because the same trust structure is in place for all of the services. i am wondering if using a separate intermediate ca for each infrastructure service is worth the effort, and if it would provide the means to isolate the different technologies from each other so the encrypted communications are not trivially intercepted because the same ca signed all the certs. aside from the isolation of signing, what can be done to prevent unintended cross authentication when certs are leveraged? thanks in advance, brendan kearney
Brendan Kearney wrote:
aside from the isolation of signing, what can be done to prevent unintended cross authentication when certs are leveraged?
Use multiple CAs. One main CA for your organization, and multiple intermediate ones for each service. There's not many other choices. Alan DeKok.
+1 also in the same way, sub intermediates for different classes of users. So: CA , service intermediate, user class intermediate, client cert PS some people will just use the same cert per user for all services alan -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
participants (3)
-
Alan Buxey -
Alan DeKok -
Brendan Kearney