self-signed root CA

Alan DeKok aland at
Thu Jan 26 08:28:14 CET 2012

McNutt, Justin M. wrote:
> So I'm getting some pushback in my organization against using a self-signed CA for signing my RADIUS server certs.  To make a long story short, I was asked to find out what other people were doing.

  Self-signed CA.  *Always*.

> And just to be clear, is the concensus still that a self-signed CA is the way to go, assuming that you have a decent way to distribute the CA cert (which we do) to the clients who need to trust it?


> I've read /etc/raddb/certs/README and I've done some Googling and everything I find pretty much assumes that you're using a self-signed CA.  The README explains briefly why, but my management wants more assurance than that, so here I am.

  Well, I wrote that README.  It's correct.

  Here's a question for management.  Do they want anyone on the planet
to be able to set up a copy of their WiFi SSID, and grab user information?

  If yes, use a public CA.  If no, use a self-signed CA.

  With web surfing, your web browser verifies that the site at
"" is holding an SSL certificate which says "".
 This prevents anyone else from using a "" certificate,
because no one else can control the "" domain.

  For WiFi, there is no such control.  If your company SSID is
"", *anyone* can duplicate that SSID.  The EAP supplicant
doesn't check if the SSID matches the certificate.  It can't check, for
a whole host of reasons.

  So the situations are different.  The result is that the security
methods are different, too.

  Alan DeKok.

More information about the Freeradius-Users mailing list