EAP SSL Cert "Not Trusted"
Trevor at simple101.com
Thu Jun 15 21:53:19 CEST 2017
Thank you for that explanation. That has helped a lot to understand the
difference between the EAP and HTTPS certificate process and why private
signed is better than the public signed CA.
On Thu, Jun 15, 2017 at 2:14 PM, Alan DeKok <aland at deployingradius.com>
> On Jun 15, 2017, at 1:42 PM, Trevor Jennings <Trevor at simple101.com> wrote:
> > We've had EAP functioning well for the past 7-8 years and when the cert
> > comes up to renew, I've been asked why do we need to keep trusting the
> > certificate, so I am trying to find answers.
> You need to keep trusting the cert, because if you don't trust it, you
> shouldn't use it for anything.
> >> Do not use public CA certs for WiFi authentication. It's insecure.
> > So you are suggesting we should be using self signed certs instead of a
> > public CA?
> It's generally safer. For many reasons outlined earlier.
> Most end-user systems now do "server cert pinning". This means that
> they keep a copy of the server cert on first successful authentication.
> They then refuse to connect if the server cert changes.
> It's not part of the specs, but it's arguably better than nothing.
> >> And no, the Apple devices do NOT already trust the Thawte cert for WiFi
> >> authentication. They trust the Thawte cert for web surfing, which is
> >> entirely different.
> > This is what I do not understand. The root certificate is the same for
> > and is sent as part of the EAP process along with the server
> certificate. I
> > know this sounds like a stupid question but how are these both different?
> EAP is different from HTTPS.
> That's the short answer.
> The longer answer is that EAP has a very different use-case than HTTPS.
> For HTTPS, you want to ensure that the web site you're connecting to is
> "known". i.e. trusted by the CA. But you are NOT giving it your
> password. You're downloading their web site.
> For EAP, you're not downloading data. You're handing the server your
> password. So you want to be sure that you're handing the password to the
> *correct* server. i.e. as server you know. Not a random server which is
> trusted by the CA.
> Do you "trust" both gmail and Microsoft enough to download web pages
> from them? Likely yes.
> Would you hand your gmail account passwords to Microsoft? Likely not.
> That's the difference.
> Alan DeKok.
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
More information about the Freeradius-Users