self-signed root CA

Matthew Newton mcn4 at
Thu Jan 26 02:43:47 CET 2012


On Thu, Jan 26, 2012 at 12:08:34AM +0000, McNutt, Justin M. wrote:
> long story short, I was asked to find out what other people were
> doing.

Self-signed CA.

> And just to be clear, is the concensus still that a self-signed
> CA is the way to go,

Self-signed CA - you have to distribute the CA cert to your clients.

Nobody can set up a rogue network / AP with rogue RADIUS server
without the client throwing up some sort of warning.

Public CA - easier as you don't have to distribute the CA cert.

You're open to spoofing attacks where someone can get another cert
from the same CA and put it on a rogue RADIUS server. These days
it seems anyone can get a public-CA certificate for any domain by
just asking for it at the back door...

> management wants more assurance than that, so here I am.

First is more secure, second is more convenient.

> assuming that you have a decent way to distribute the CA cert
> (which we do) to the clients

If you can easily push the certs out, I'd go for the more secure
self-singned certs, as the main objection to it seems to be
pushing out the CA cert.


Matthew Newton, Ph.D. <mcn4 at>

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Users mailing list