self-signed root CA
Phil Mayers
p.mayers at imperial.ac.uk
Thu Jan 26 12:18:38 CET 2012
On 01/26/2012 01:43 AM, Matthew Newton wrote:
> Public CA - easier as you don't have to distribute the CA cert.
>
> You're open to spoofing attacks where someone can get another cert
> from the same CA and put it on a rogue RADIUS server. These days
> it seems anyone can get a public-CA certificate for any domain by
> just asking for it at the back door...
This depends on the CA.
As I've said before, anyone going down this route should pony up and pay
top dollar for a reliable cert from a (reasonably!) reliable CA, AND
ENSURE that clients are validating the certificate CN.
I'm no fan of X.509 or CAs (oh, EAP-EKE - how I wish we could have been
together!) but not every CA is terrible!
More information about the Freeradius-Users
mailing list