self-signed root CA
p.mayers at imperial.ac.uk
Thu Jan 26 12:16:15 CET 2012
On 01/26/2012 12:08 AM, McNutt, Justin M. wrote:
> So I'm getting some pushback in my organization against using a
> self-signed CA for signing my RADIUS server certs. To make a long
> story short, I was asked to find out what other people were doing.
This has been discussed extensively on the list!
> For my own reasons, I'd like to know slightly more than that. If you
> AREN'T using a self-signed CA for your RADIUS server, what made you
> use another CA, and what CA did you use?
We use a Verisign cert. We chose this because we decided the difficulty
of deploying the certificate to unmanaged client desktop, laptop and
mobile devices was excessive, given our client base.
I should emphasise that this is a 5 year old decision; at the time, the
various open-source cert deployment tools (e.g. su1x) were unavailable,
and there was (indeed, still is) an unwillingness to pay for a solution
such as CloudPath.
I should also emphasise that, at the time, the client base included
Windows Mobile 5 devices (on which it is practically impossible to
install certs) as well as guest laptops (on which the hassle of
installing a cert eats significantly into the time the guest is here).
Therefore, we opted for a public cert.
If we were starting from scratch, we'd probably use a private cert and
su1x to deploy it.
There is zero appetite to change certs (and reconfigure ~10,000 clients).
> And just to be clear, is the concensus still that a self-signed CA is
> the way to go, assuming that you have a decent way to distribute the
> CA cert (which we do) to the clients who need to trust it?
Yes, very much so. Is is the safer and more secure default option.
More information about the Freeradius-Users