EAP-TLS: Same cert, multiple servers and locations?

Sylvain Munaut s.munaut at whatever-company.com
Sat May 7 09:19:22 CEST 2016


Hi,

>>> Can I use a single common name (ie. myglobalsites) for the certificate
>>> set
>>> across my entire domain, and simply copy the entire set, (ca/pem/der/p12)
>>> from site to site? Does openssl and freeradius together use any hardware
>>> info (CPU serial, resolved ip addr, etc) that would cause a copied cert
>>> to
>>> crash?

Note that instead of locking the CN of the server itself, you can lock
on the issuer.

Then you just have the different certs issued from your own private CA.

One advantage of this is that you can keep the CA key safer offline
and you don't have to reprovision the devices when you have to revoke
or renew the cert on the servers.


Cheers,

    Sylvain


More information about the Freeradius-Users mailing list