Server certificate and clients (eap-tls) certificate
Nathan Ward
lists+freeradius at daork.net
Tue Dec 12 03:36:07 CET 2017
> On 12/12/2017, at 3:23 PM, work vlpl <thework.vlpl at gmail.com> wrote:
>
> On 12 December 2017 at 03:12, Alan DeKok <aland at deployingradius.com> wrote:
>> On Dec 9, 2017, at 12:36 PM, work vlpl <thework.vlpl at gmail.com> wrote:
>>>
>>> I should get valid ssl certificate from (Verisign or other CA)
>>
>> Please don't. It's generally a bad idea. Use a self-signed CA. That way you can control it much better.
>>
>
> Why using valid certificate from some global CA is bad idea? Because
> Windows requires certain OIDs in the certificates?
https://github.com/FreeRADIUS/freeradius-server/blob/v4.0.x/raddb/certs/README <https://github.com/FreeRADIUS/freeradius-server/blob/v4.0.x/raddb/certs/README>
Line 26 onwards:
In general, you should use self-signed certificates for 802.1x (EAP)
authentication. When you list root CAs from other organisations in
the "ca_file", you permit them to masquerade as you, to authenticate
your users, and to issue client certificates for EAP-TLS.
--
Nathan Ward
More information about the Freeradius-Users
mailing list