SSL Certificate Question

A.L.M.Buxey at lboro.ac.uk A.L.M.Buxey at lboro.ac.uk
Wed Jul 9 10:11:56 CEST 2014


hi,

this question pops up every so often look at the mailing list history for previous
discussions but summary is

1) its BCP for 802.1X to use a prvate CA - its more secure in that you control the CA
and thus you control who gets certificates...so if a client can ONLY check the CA
and not the CommonName, thats not an issue..)

2) if using private CA your RADIUS server can be directly signed - no intermediates -
less data during 802.1X exchange

3) you are in control of destiny - YOU decide what your CA policy and server certificate
policies are. want 5 years? fine. want 10 years (not advisable) fine.


..and more.

however, using a private CA has its difficulties

1) clients need to have the CA on their device - use a profile tool!

2) you are operating a PKI/CA system - you need to know what you are doing, have policies, keep
it secure , etc

3) you need to know what random things you need to add into the certs (fortunately
plenty of other people are doing that work in the world of 802.1X and contributing to
FreeRADIUS so eg the current example/demo certificate scripts make things that work


your problem is PROBABLY that your CA/cert is MD5 - newer OSes wont like that. you need to be SHA1
or higher now.  Windows Phone/Windows 8 need CRLDP to be present.   at the end of the day, when it comes
to the actual x509 data, there is NO difference between a private CA signd cert and a public CA signed 
cert for 802.1X

alan


More information about the Freeradius-Users mailing list