query on files under /etc/raddb/certs

SIMON BABY simonkbaby at gmail.com
Thu Nov 12 23:00:00 CET 2020

Hi Alan,
When I read the file README it says below content:

This directory contains scripts to create the server certificates.
To make a set of default (i.e. test) certificates, simply type:

$ ./bootstrap

  The "openssl" command will be run against the sample configuration
files included here, and will make a self-signed certificate authority
(i.e. root CA), and a server certificate.  This "root CA" should be
installed on any client machine needing to do EAP-TLS, PEAP, or

So  can someone  create a false certificate and key and create a session ?
If we delete all these scripts also it is not possible to create any
certificate and we get complete control of where it gets the
certificates and keys ?


On Thu, Nov 12, 2020 at 1:48 PM Alan DeKok <aland at deployingradius.com>

> On Nov 12, 2020, at 2:44 PM, SIMON BABY <simonkbaby at gmail.com> wrote:
> >
> > Thank you for replying to me. So if, I don't need to create certs and
> keys
> > Can I delete all those files
>   If you're not using them, yes.
> > (To make them more secure by not creating any
> > cert and key by someone who can hack).
>   That doesn't make sense.  If you're not using them, it doesn't matter if
> someone else reads them.  They don't mean anything, and they don't contain
> any useful information.
> > I have some static certs and key
> > files.
>   You can *look* at those files to see what they are.  There's a Makefile
> in raddb/certs  which includes targets to print out the contents of the
> files.  Or, you can use OpenSSL.  These files aren't specific to
> FreeRADIUS.  They're created with OpenSSL.  So they can be read by OpenSSL.
>   If you look at the files, odds are that they will be for "example.com"
> or "example.org".  Which are web sites *not* owned by you.  So the certs
> are entirely meaningless. and leaking the contents of these files does
> nothing.
>   I am extremely wary of security theatre.  If you want to delete files
> you don't use, that's one thing.  But doing so does not make your systems
> any more secure.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list