Server certificate and clients (eap-tls) certificate

Nathan Ward lists+freeradius at
Tue Dec 12 03:36:07 CET 2017

> On 12/12/2017, at 3:23 PM, work vlpl <thework.vlpl at> wrote:
> On 12 December 2017 at 03:12, Alan DeKok <aland at> wrote:
>> On Dec 9, 2017, at 12:36 PM, work vlpl <thework.vlpl at> wrote:
>>> I should get valid ssl certificate from (Verisign or other CA)
>>  Please don't.  It's generally a bad idea.  Use a self-signed CA.  That way you can control it much better.
> Why using valid certificate from some global CA is bad idea? Because
> Windows requires certain OIDs in the certificates? <>

Line 26 onwards:
  In general, you should use self-signed certificates for 802.1x (EAP)
authentication.  When you list root CAs from other organisations in
the "ca_file", you permit them to masquerade as you, to authenticate
your users, and to issue client certificates for EAP-TLS.

Nathan Ward

More information about the Freeradius-Users mailing list