Distributing Certificates

Alan Buxey A.L.M.Buxey at lboro.ac.uk
Fri Jan 20 15:36:37 CET 2012


> If you're using a private CA for signing the radius server certs, which 
> is generally cited as best practice because it provides belt & braces; 
> in the event a client does not learn & subsequently re-check the cert 
> CN, a public CA would allow an attacker to impersonate your SSID. A 
> private CA does not.
> Some people (us included) choose to use a public CA and accept the risk, 
> in return for significantly easier deployment.

private CA


-under full control of organisation
-the organisation only can sign servers
-for 802.1X your clients only need to trust your server - closed loop. so why use public?


-CA management - skillset, can someone do the same in X years?
-distribution of the CA to the client

Public CA


-most clients have the CA already present
-no need to learn about CA/PKI to such low level

-under whims of the CA and their issues (recall the dutch CAs now revoked and now invalid)
-under whims of the remote CA policy (changing from being a root to intermediate)
-anyone can buy a certificate from a CA
-distribution - some CAs arent on clients..so you need to distribute it anyway

personal opinion

CA distribution was always the issue for private CA - but most sites now go for
using a deployment tool of some kind to get clients set up - and all of them can deal with
installing a CA, so thats a problem gone.  the system is closed-loop, visitors never need to
trust your RADIUS server cert...only your own folk do - so why use public in this space?


More information about the Freeradius-Users mailing list