CA usage and practices

Brian Julin BJulin at
Fri Mar 24 15:41:07 CET 2017

> Slightly OT: can we have a quick headcount of which client deployment tools people are using to deploy their private CA, ideally annotated with any platforms it *doesn't* support?

Well, we don't use one, yet.  I've decided to try to tackle the task of getting helpdesk staff used to
running a new deployment program which also parameterizes our SSIDs by tying one to an
upcoming new VPN rollout.  This is with custom scripts generating a  mobileconfig and a custom
windows script, since none of the SSID-deployment tools also did VPN profiles and/or
were too cookie cutter or too bloated to audit.

I haven't gotten around yet to writing the part of the Windows script that does the SSIDs or
will eventually allow us to install a root cert, but the mobileconfig side of that is dead simple.  So far
I've been able to avoid any binary .exes on the Windows side so the whole thing is a one-file,
easily auditable script disregarding the pasted-in certs.  We don't allow Vista or XP on
the network anymore, so I don't have to deal with powershells too old to do the job.

Haven't even looked at CA enrollment yet.  Would be premature until management takes some
interest in the CA project and supplicant support catches up.

The danger in this approach is less community support if an OS suddenly decides to make changes
that crash the scripts or demand a different .mobileconfig for different OSes.  But so far in
testing, we haven't needed to discriminate.

Didn't bother to do android, because it's futile to be messing around with giant build enviromnets
to create apps to use reflection APIs to get at paremeters that should be easily provisionable.  We'll
just have to wait for that crew to get their thumbs out of their posteriors, and in the meantime coax
the users through manual cert installs.

More information about the Freeradius-Users mailing list