dont distribute certificate

Alan Buxey A.L.M.Buxey at lboro.ac.uk
Tue Dec 21 17:43:32 CET 2010


Hi,

> > Yes, I was talking about the TLS public certificate, sorry for leaving
> > this out.The reason for that is that you only have the ability to
> > connect to the hotspot if you have manually installed the public cert on
> > your client before connecting.
> 
> No, I think you're confused. Perhaps you're referring to the trusted CA 
> cert used to sign your public server cert. The CA which signed your 
> server cert has to be installed as a trusted CA on the client (or 
> resolve to one via a cert chain).
> 
> Generally you don't want clients to install trusted CA certs. Therefore 
> your server cert must be signed by a CA which is normally trusted and 
> hence previously installed. Usually that means a commercial CA which you 
> pay to sign your server cert.

aye. you dont HAVE to install the server public cert as that will be transferred to
the client during the creation of the SSL/TLS tunnel.  what the client
does need, AND trust, is the public cert of the CA that signed the server. 

in this way, the web of trust is created.


so...if you have a public system I'd advice you use a well known CA to sign your server...
a CA whose public keys are already in the OS.

for a private, closed loop system - eg 802.1X authentication I'd still go for a private
CA - yes, you have the issue of CA distribution onto the clients but you avoid the
issue that anyone can pay and get a CA signed by a well known CA that your clients
would trust (closed-loop method)

alan



More information about the Freeradius-Users mailing list