purpose of xp extensions
d tbsky
tbskyd at gmail.com
Fri Jun 29 10:08:20 CEST 2018
2018-06-29 0:10 GMT+08:00 Adam Bishop <Adam.Bishop at jisc.ac.uk>:
> On 28 Jun 2018, at 16:48, d tbsky <tbskyd at gmail.com> wrote:
>> 2. is xp extensions only useful if we want client to verify server certificate?
>
> No, the Windows supplicant will flat out not work without the OIDs being present.
Hmmm. I tried to use let's encrypt certificate, and windows 7 seems to
swallow it.
BTW, how can we check if the certificate comes with xp extensions or not?
I tried to use "openssl x509 -text -in my.crt", but can not find info
about the extension.
>> 3. if we use certificate like let's encrypt without xp extensions.
>> what function do we miss? I know it is not very secure to use public
>> CA, but it seems easier when deal with mobile devices bring by users.
>> they just want to access wifi with their active directory
>> username/password.
>
> Don't do this - it's insecure if you allow users to use TOFU with a public CA, and has no advantage over a private CA from a UX perspective. Users will still be prompted to accept the certificate manually even if you obtain it from a public CA.
got it. thanks a lot for your explain!
More information about the Freeradius-Users
mailing list