The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hi,

>     When comparing the two files, I realized I had forgotten the
> "TLSTrustedServerNames" section in my file.  I added it to the iPhone
> configuration utility "IAS Radius Server Certificate" and it is now
> failing.  I'm going to try to play around with this to see if I can
> figure out why this is failing.

Ah! It's indeed slightly unusual to have an end entity certificate which
does not have in its CN a fully-qualified domain name. Don't get me
wrong - this is perfectly fine PKI-wise and a bug-free supplicant would
not have issues with this at all.

That said, I'm not really sure if iOS is a bug-free supplicant :-)

Is it possible for you to test with a new certificate which has a CN
which is/looks like a valid fully-qualified domain name?

If it works at that point, then we have a pretty good indication that
there is indeed an issue with iOS and the names it allows in the CN.

This is then not strictly a CAT issue though; but we can update our list
of caveats on the "EAP Server Certificate Considerations" page for
everybody's benefit. The list is getting rather long as of recent :-/

Greetings,

Stefan Winter

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature