Distributing Certificates

Phil Mayers p.mayers at imperial.ac.uk
Fri Jan 20 11:48:51 CET 2012

On 01/20/2012 08:16 AM, Mark Holmes wrote:
>> Your problem is going to be>distributing the server cert to
>> the>clients NOT distributing client
> Maybe I've missed something here, but why will he need to distribute
> a cert to clients?

If you're using a private CA for signing the radius server certs, which 
is generally cited as best practice because it provides belt & braces; 
in the event a client does not learn & subsequently re-check the cert 
CN, a public CA would allow an attacker to impersonate your SSID. A 
private CA does not.

Some people (us included) choose to use a public CA and accept the risk, 
in return for significantly easier deployment.

More information about the Freeradius-Users mailing list