self-signed root CA

Phil Mayers p.mayers at
Thu Jan 26 12:18:38 CET 2012

On 01/26/2012 01:43 AM, Matthew Newton wrote:

> Public CA - easier as you don't have to distribute the CA cert.
> You're open to spoofing attacks where someone can get another cert
> from the same CA and put it on a rogue RADIUS server. These days
> it seems anyone can get a public-CA certificate for any domain by
> just asking for it at the back door...

This depends on the CA.

As I've said before, anyone going down this route should pony up and pay 
top dollar for a reliable cert from a (reasonably!) reliable CA, AND 
ENSURE that clients are validating the certificate CN.

I'm no fan of X.509 or CAs (oh, EAP-EKE - how I wish we could have been 
together!) but not every CA is terrible!

More information about the Freeradius-Users mailing list