0

I'm moving my WiFi to WPA-Enterprise, using a Freeradius server that authenticates with our Samba 4 directory.

I'm currently using a self-signed certificate, but want to move to a purchased certificate instead. I understand the proper way would be to have my own CA and distribute its certificate through Group Policy, but to simplify things, I'll trade that risk for the simplicity of not having to add the CA's cert to each client.

My question is: will any SSL Certificate do? I'm looking, for example, at this one: https://www.namecheap.com/security/ssl-certificates/domain-validation.aspx (the PositiveSSL).

If so, is there any requirement on the domain name to enter?

I understand Windows XP is picky with the certificate, but we don't have any XP computers around on WiFi (nor I expect to have to support them)

pgb
  • 445
  • 1
  • 6
  • 18
  • http://serverfault.com/q/407281/126632 I do believe this covers _why you should not do this_ and some options for what to do instead. Setting up ADCS and distributing a CA certificate shouldn't take long at all. – Michael Hampton Aug 27 '15 at 18:38
  • I saw that. But what if I'm willing to trade that risk for the simplicity? After all, I'm coming from WPA-PSK, it's a bit of an update anyway. – pgb Aug 27 '15 at 18:42
  • All I have to do is set up a rogue AP with a certificate from _the same CA_ as the one you choose, and I can start collecting all your users' usernames and passwords as they connect to it, and if I proxy them to your real AP, none of them will notice anything wrong. Are you quite sure you want to take that risk? – Michael Hampton Aug 27 '15 at 18:44
  • Well, if you put it that way :) I'll look into distributing my own CA. – pgb Aug 27 '15 at 18:47
  • @MichaelHampton I ended up creating a VLAN for the WiFi clients, and decided to use WPA-PSK and a Captive Portal for authentication. Thank you for the feedback. – pgb Sep 02 '15 at 14:59

0 Answers0