Generating a Microsoft compatible CSR for FreeRADIUS

Alan Buxey A.L.M.Buxey at
Fri Jan 21 00:10:24 CET 2011


> > To clarify, they can pretend to be a valid server, because *anyone* signed by Verisign is a valid server.
> > To go one step further, they can have verisign sign a CA, and then use that CA to create *any* certificate they want,
> > including one which pretends to be your server.  Most users won't bother reading the entire certificate chain.
> > They'll just see "" (or >whatever) and click "OK".
> Ahh , I see what you mean.  Thank you for the clarification.  The masses of undereducated and/or apathetic users out there are the biggest challenges facing IT pros.

aye. this is why a self-signed cert can be beneficial...its a closed-loop system
then - only your own users ever authenticate against your server (ie use the
SSL cert to create an EAP tunnel to do things) - external users/visitors would
be proxied off to their home site (eg if using eduroam) - so you dont need to
worry about them getting the CA onto their system. 

you can shore things up a bit by ensuring that the clients are configured to
only trust the CA you've chosen...and filled in the RADIUS server name (well,
its CN from the SSL cert it provides when making the tunnel). but, once
again, thats getting things done right... most users with most OS's will
just click on the SSID and fill in basic details when prompted  (I guess
at least a lot of pain is now gone from 802.1X network connections....quick
and dirty).

PS dealing with public CA's isnt always so clear cut and quick - sometimes
the OS needs to be updated/patched before the CA is available...or updated
CA is supplied...and sometimes the train of trust changes so what was a CA
becomes an intermediary etc - so you have to deal with those cases too.

PS as already said, the extensions you need are documented and provided
in the 'xpextensions' file - they're basically how windows decides 'purpose'
of the cert. tiresome really.


More information about the Freeradius-Users mailing list