self-signed root CA
Alan DeKok
aland at deployingradius.com
Thu Jan 26 08:28:14 CET 2012
McNutt, Justin M. wrote:
> So I'm getting some pushback in my organization against using a self-signed CA for signing my RADIUS server certs. To make a long story short, I was asked to find out what other people were doing.
Self-signed CA. *Always*.
> And just to be clear, is the concensus still that a self-signed CA is the way to go, assuming that you have a decent way to distribute the CA cert (which we do) to the clients who need to trust it?
Yes.
> I've read /etc/raddb/certs/README and I've done some Googling and everything I find pretty much assumes that you're using a self-signed CA. The README explains briefly why, but my management wants more assurance than that, so here I am.
Well, I wrote that README. It's correct.
Here's a question for management. Do they want anyone on the planet
to be able to set up a copy of their WiFi SSID, and grab user information?
If yes, use a public CA. If no, use a self-signed CA.
With web surfing, your web browser verifies that the site at
"facebook.com" is holding an SSL certificate which says "facebook.com".
This prevents anyone else from using a "facebook.com" certificate,
because no one else can control the "facebook.com" domain.
For WiFi, there is no such control. If your company SSID is
"example.com", *anyone* can duplicate that SSID. The EAP supplicant
doesn't check if the SSID matches the certificate. It can't check, for
a whole host of reasons.
So the situations are different. The result is that the security
methods are different, too.
Alan DeKok.
More information about the Freeradius-Users
mailing list