self-signed root CA
Matthew Newton
mcn4 at leicester.ac.uk
Thu Jan 26 02:43:47 CET 2012
Hi,
On Thu, Jan 26, 2012 at 12:08:34AM +0000, McNutt, Justin M. wrote:
> long story short, I was asked to find out what other people were
> doing.
Self-signed CA.
> And just to be clear, is the concensus still that a self-signed
> CA is the way to go,
Self-signed CA - you have to distribute the CA cert to your clients.
Nobody can set up a rogue network / AP with rogue RADIUS server
without the client throwing up some sort of warning.
Public CA - easier as you don't have to distribute the CA cert.
You're open to spoofing attacks where someone can get another cert
from the same CA and put it on a rogue RADIUS server. These days
it seems anyone can get a public-CA certificate for any domain by
just asking for it at the back door...
> management wants more assurance than that, so here I am.
First is more secure, second is more convenient.
> assuming that you have a decent way to distribute the CA cert
> (which we do) to the clients
If you can easily push the certs out, I'd go for the more secure
self-singned certs, as the main objection to it seems to be
pushing out the CA cert.
Matthew
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list