On 01/26/2012 12:08 AM, McNutt, Justin M. wrote:
So I'm getting some pushback in my organization against using a
self-signed CA for signing my RADIUS server certs. To make a long
story short, I was asked to find out what other people were doing.
This has been discussed extensively on the list!
For my own reasons, I'd like to know slightly more than that. If you
AREN'T using a self-signed CA for your RADIUS server, what made you
use another CA, and what CA did you use?
We use a Verisign cert. We chose this because we decided the difficulty
of deploying the certificate to unmanaged client desktop, laptop and
mobile devices was excessive, given our client base.
I should emphasise that this is a 5 year old decision; at the time, the
various open-source cert deployment tools (e.g. su1x) were unavailable,
and there was (indeed, still is) an unwillingness to pay for a solution
such as CloudPath.
I should also emphasise that, at the time, the client base included
Windows Mobile 5 devices (on which it is practically impossible to
install certs) as well as guest laptops (on which the hassle of
installing a cert eats significantly into the time the guest is here).
Therefore, we opted for a public cert.
If we were starting from scratch, we'd probably use a private cert and
su1x to deploy it.
There is zero appetite to change certs (and reconfigure ~10,000 clients).
And just to be clear, is the concensus still that a self-signed CA is
the way to go, assuming that you have a decent way to distribute the
CA cert (which we do) to the clients who need to trust it?
Yes, very much so. Is is the safer and more secure default option.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
