CA usage and practices

Alan DeKok aland at
Fri Mar 24 12:40:47 CET 2017

On Mar 24, 2017, at 7:31 AM, Stefan Paetow <Stefan.Paetow at> wrote:
> Speaking of which, Alan, I know the bootstrap script is, well, for demo purposes, but it does get used rather a lot for deployments.

  I use it that way.  The reason is that most of the existing OpenSSL tools are horrifically bad.

  The certificate processes in FreeRADIUS v1 were terrible, so I eventually sat down (for WAY too long), and figured out what to do so that it would be easier for everyone else (and future me!)

> You may eventually get a replacement for bootstrap from either myself (as proxy) or someone else who thought it was inadequate for production purposes. :-)

  As always, patches are welcome. :)

 I don't usually recommend CA management systems.  Partly because I don't know what people actually need, so recommending a CA system may be wrong.  And partly because most CA systems are so convoluted and confusing as to be almost unusable.

  i.e. when you have functionality to meet the needs of 99% of your users, the 90% that want something *simple* will be confused.

  The bootstrap scripts in FreeRADIUS are hard to get wrong.  That makes them useful, and easy to use.

  But even with that, a little more functionality wouldn't be bad.

  Alan DeKok.

More information about the Freeradius-Users mailing list