OT, but relevant: Managing Certs

Brendan Kearney bpk678 at gmail.com
Wed Jun 4 01:28:05 CEST 2014

i am starting to read up on implementing .1x, and want some feedback on
how others are managing certs.  my questions are not specific to
freeradius, but being that many of the .1x auth methods use
certificates, i am hoping to find a pool of folks that manage
certificates, pki and / or ca's, to enlighten me.

i have an openvpn instance that leverages certs.  i will adding certs to
openldap for client connections over tls, and certs for replication
between masters.  then there is www and proxy.  even dns can get in the
certificate game.

with all of these services leveraging certificates, how do folks avoid
"cross pollination"?  i dont want an openvpn client certificate used to
authenticate a .1x session, for example.  i dont want my ldap
replication to be subject to interception by a client that has a cert
signed by the same ca, thereby allowing unintended access or the ability
to decrypt the traffic because the same trust structure is in place for
all of the services.

i am wondering if using a separate intermediate ca for each
infrastructure service is worth the effort, and if it would provide the
means to isolate the different technologies from each other so the
encrypted communications are not trivially intercepted because the same
ca signed all the certs.

aside from the isolation of signing, what can be done to prevent
unintended cross authentication when certs are leveraged?

thanks in advance,

brendan kearney

More information about the Freeradius-Users mailing list