CA usage and practices

Stefan Paetow Stefan.Paetow at
Fri Mar 24 12:31:25 CET 2017

>> People don't talk about this enough. A CA is more than just a server or HSM, some scripts and a web UI. It's almost *all* about process and procedure, and as technical people we tend to ignore this.
> Typical CA failures happen when people make mistakes.  It is extremely rare that an automated process goes wrong.

As demonstrated by DigiNotar (keys left in the devices/machines).

>> Slightly OT: can we have a quick headcount of which client deployment tools people are using to deploy their private CA, ideally annotated with any platforms it *doesn't* support?
>  This would be good to now, and to document on the wiki.

Speaking of which, Alan, I know the bootstrap script is, well, for demo purposes, but it does get used rather a lot for deployments. You may eventually get a replacement for bootstrap from either myself (as proxy) or someone else who thought it was inadequate for production purposes. :-)

With Regards

Stefan Paetow
Moonshot Industry & Research Liaison Coordinator

t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: stefanp at
skype: stefan.paetow.janet

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP
URL: <>

More information about the Freeradius-Users mailing list