Hello Nadav, On 10/01/2015 08:52 PM, Nadav Hod wrote:
> And keep in mind that not just private keys need to be kept secure. > To authenticate phones with EAP-TLS I needed the Cisco call manager's > CA to be stored locally on Radiator. The certificate was self-signed and not > exportable without a cisco admin account. If anyone else were to have access > to that certificate they could impersonate my server. Same goes for any other > supplicant with a CA which isn't made public. In public key cryptography only private key is needed to be kept secure. For example certificate is a public key that you can give to anyone in order to verify you. CA is signing certificates with it's private key and CA certificate is used to validate certificates CA has signed. So it is not possible to impersonate your server with CA certificate. CA's private key is needed to do that. Best Regards, Sami -- Sami Keski-Kasari <sam...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator