Tool for deploy CA certificates (802.1x)

  • 1
  • Idea
  • Updated 5 years ago
I know that Private PSK is really awesome.

However, it would be nice to have a web page where you can download your CA certificate from an open SSID or probably a way to send the certificate by e-mail, for a 802.1x authentication network. In the end you, as net admin, you will always have to find a solution to do that. Even if it is as trivial as sending the certificate by e-mail.

I know that in the enterprise you might think in PKI infrastructure but even if you have deployed PKI there are a lot of exceptions like:

"That's the CEO's macbook it doesn't (an it won't) belongs to the domain but he wants to share files between the corporate laptop and his macbook on the wireless network." Not to mention the myriad of mobile devices that cannot install certificates automatically and that sometimes there are PKI policies misconfigurations, AD security policies and so on.

I think that if you provide the tool you can keep track on who is downloading the certificate, and that it is better way to provide a certificate on a safe and easy manner.

This is just an idea, I've seen many administrators troubled by this type of issues that really need help on that.
Photo of Erick Muller

Erick Muller

  • 35 Posts
  • 8 Reply Likes

Posted 5 years ago

  • 1
Photo of Erick Muller

Erick Muller

  • 35 Posts
  • 8 Reply Likes
Hey folks,

I don't know how orthodox will be this solution, but what I've done to solve this in the meantime is to create a special user "certdownload" allowing this user to have access only to certificate mgmt page, to gave the users access to the CA certificate.

The bad thing here is that you must have write rights in order to enable the export button so the users can actually export the certificate and the import button is activated by that action as well. However, in my case this "special account" will be provided only to "admin or helpdesk users" in order to make them easier for them to configure 802.1x access to the network.

Probably a more elegant solution will be to create HM users with access only to the Certifcate Mgmt page for each one of the helpdesk users so you may know which account was part of an abuse in case there was some type of abuse.