query on files under /etc/raddb/certs
simonkbaby at gmail.com
Thu Nov 12 23:00:00 CET 2020
When I read the file README it says below content:
This directory contains scripts to create the server certificates.
To make a set of default (i.e. test) certificates, simply type:
The "openssl" command will be run against the sample configuration
files included here, and will make a self-signed certificate authority
(i.e. root CA), and a server certificate. This "root CA" should be
installed on any client machine needing to do EAP-TLS, PEAP, or
So can someone create a false certificate and key and create a session ?
If we delete all these scripts also it is not possible to create any
certificate and we get complete control of where it gets the
certificates and keys ?
On Thu, Nov 12, 2020 at 1:48 PM Alan DeKok <aland at deployingradius.com>
> On Nov 12, 2020, at 2:44 PM, SIMON BABY <simonkbaby at gmail.com> wrote:
> > Thank you for replying to me. So if, I don't need to create certs and
> > Can I delete all those files
> If you're not using them, yes.
> > (To make them more secure by not creating any
> > cert and key by someone who can hack).
> That doesn't make sense. If you're not using them, it doesn't matter if
> someone else reads them. They don't mean anything, and they don't contain
> any useful information.
> > I have some static certs and key
> > files.
> You can *look* at those files to see what they are. There's a Makefile
> in raddb/certs which includes targets to print out the contents of the
> files. Or, you can use OpenSSL. These files aren't specific to
> FreeRADIUS. They're created with OpenSSL. So they can be read by OpenSSL.
> If you look at the files, odds are that they will be for "example.com"
> or "example.org". Which are web sites *not* owned by you. So the certs
> are entirely meaningless. and leaking the contents of these files does
> I am extremely wary of security theatre. If you want to delete files
> you don't use, that's one thing. But doing so does not make your systems
> any more secure.
> Alan DeKok.
> List info/subscribe/unsubscribe? See
More information about the Freeradius-Users