Security issues with public CA and signing certificates?

[June Murderer]

Hello everyone,

I am following up on what Alan wrote two years ago regarding self-signed certificates and public CAs. The concern was regarding the possibility of setting up a rogue access point.

For clients who do not have WiFi pre-configured, does not change anything if it is a self-signed certificate or a certificate from a public CA, because most of the users would trust the *fake* RADIUS certificate if it has all the humanly-readable field of the *original* certificate.

For clients who do have WiFi pre-configured, Alan stated that people who use self-signed CAs for RADIUS are safe from this attack, while people who use public CAs might not be safe since someone could pay the $3k or so to get a signing certificate issued by that same CA and create the server certificate. 
According to Alan, this approach should work because most supplicants historically have not cached the *server* certificate. Instead, they only track the CA certificate.

By googling I was able to download the exact CA certificate we use and I was also able to download one of the three signing certificates (I suppose the root), so probably the two signing certficates I wasn't able to find are the intermediate ones.

However, on iOS, whenever I download the configuration profile I can see all the info of the CA certificate and the three signing certificates.

Would be possible for someone with major hacking skills to deploy the server certificate by downloading or creating the signing certificates with all these informations (not sure whether the private keys can be found)?


June.