Security issues with public CA and signing certificates?

June Murderer june.murderer at yandex.com
Sat Mar 9 16:07:20 CET 2019


I see, thanks. 

So, as you stated two years ago, the only way to work on pre-configured clients would be to pay $3k or so to get the signing certificate signed with the private key of the CA (assuming the supplicant tracks only the CA certificate)?

June.


09.03.2019, 14:25, "Alan DeKok" <aland at deployingradius.com>:
> On Mar 9, 2019, at 7:21 AM, June Murderer <june.murderer at yandex.com> wrote:
>>  By googling I was able to download the exact CA certificate we use and I was also able to download one of the three signing certificates (I suppose the root), so probably the two signing certficates I wasn't able to find are the intermediate ones.
>>
>>  However, on iOS, whenever I download the configuration profile I can see all the info of the CA certificate and the three signing certificates.
>>
>>  Would be possible for someone with major hacking skills to deploy the server certificate by downloading or creating the signing certificates with all these informations (not sure whether the private keys can be found)?
>
>   If you don't have the private keys, you can't create a server certificate.
>
>   The CA certs are public for a reason. The information in them can't be used to do anything nefarious. You need the private keys.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html









More information about the Freeradius-Users mailing list