Generating a Microsoft compatible CSR for FreeRADIUS

Alan DeKok aland at
Thu Jan 20 20:48:24 CET 2011

Sallee, Stephen (Jake) wrote:
> Hmmm. I hadn't thought of that attack vector, kind of like a man-in-the-middle attack, but isn't that what the private key is for, to prevent just that?

  To clarify, they can pretend to be a valid server, because *anyone*
signed by Verisign is a valid server.

  To go one step further, they can have verisign sign a CA, and then use
that CA to create *any* certificate they want, including one which
pretends to be your server.  Most users won't bother reading the entire
certificate chain.  They'll just see "" (or whatever) and click "OK".

  Alan DeKok.

More information about the Freeradius-Users mailing list