Re: Unsigned Cerficate on ACS for P-EAP?

o-ziltener · ‎08-25-2004

Can I use instead of signed certificate from certificate authority (example verisgn) or from my own CA use an UNsigned certifcate (like what I can do with the wlse for ssl) for a proper working PEAP environment?

any input is very welcome

scottmac · ‎08-25-2004

Yes, you should be able to use any valid cert, signed or not.

Good Luck

Scott

gamccall · ‎08-26-2004

On the server side, you'll be fine; you can install anything you want. And a well-behaved client will give the user to view and accept or reject the server certificate if it doesn't recognize the root.

However, not all clients are well-behaved. For some, you may need to manually install the server certificate into the client before attempting to authenticate against it. This isn't an insurmountable roadblock but it is an inconvenience.

michaelr · ‎09-01-2004

Just curious - what is an "unsigned cert"? I know of an X.509 cert (which is signed) but have not heard of an unsigned cert before.

Thanks,

michael

gamccall · ‎09-01-2004

He should properly have said "self-signed" rather than "unsigned"... a cert issued by a server with no upstream certification path back to Verisign or other generally-recognized authority.

o-ziltener · ‎09-01-2004

an unsigned cert is a cert which you produce yourself and not comes from versign or other authority!

michaelr · ‎09-03-2004

So it sounds like you are actually talking about a cert not signed by an "official CA" (i.e., a CA whose cert is not pre-loaded into the browsers)?

Thanks.

scottmac · ‎09-04-2004

That's correct. It's OK for verifying a qualified client, but it offers no assurance to people that the server offering / using the cert has been publicly identified and certified as who they say they are.

OK for client authentication, bad for a web site that may ask for credit card info.

FWIW

Scott