The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Tomasz Wolniewicz <twoln AT umk.pl>]

First of all,
  it is quite OK that the server certificate does not appear in the
profile. In fact is should never be uploaded.
If all systems worked well, only the root certificate would be needed,
and, of course the server should present the whole
chain (except for the root certificate). Since not all systems work
well, we advise to load the intermediates as well.

However this particular set of certificates present in the profile looks
strange.

It contains the following certs:

1.
Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification
Authority
Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006
VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public
Primary Certification Authority - G5

2.
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006
VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public
Primary Certification Authority -
G5
Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of
use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3
International Server CA - G3

3.
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006
VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public
Primary Certification Authority - G5
Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006
VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public
Primary Certification Authority -  G5

The server certificate (according to what Alan reports) is:

Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of
use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3
International Server CA - G3
Subject: C=IT, ST=Milano, L=Milano, O=Universita' degli Studi di Milano,
OU=Div. Telecomunicazioni, OU=For Intranet Use Only, CN=eduroam


Therefore the server is certified by (2) which in turn is certified by (1).
Certificate (3) is a root CA, which is also signed by another CA (this
is what the certificate 1 shows), but seems to have no role in this chain.

Certificate (1) is an intermediate CA not a root CA, therefore the
profile does not contain the most important piece - the ROOT CA for the
server.

The configuration should never work. I have tested the installer on
Windows 7 and it sets trust to certificate (3) - this is how CAT works -
it searches for self-signed CA certificates and uses them as trusted
CAs. But the server is not signed by this CA, so no client should accept
this configuration. Unfortunately I have now way to test this from home,
will take a look on Monday.

There is one more strange thing in this setup. The server certificate
has CN=eduroam. Since only the CN is checked as the server name, any
other certificate with this CN would be also tested. Therefore it it
makes a lot more sense to put in the domain name of the server. CAs
should verify that the domain belongs to the requesting organisation
therefore there should be no risk that our users will suddenly trust
servers of other organisations.

Tomasz



W dniu 14.03.2014, 21:02, 
A.L.M.Buxey AT lboro.ac.uk
 pisze:
> hi,
>
> on connecting to your RADIUS server, a client is presented with the 
> following:
>
> /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
> -----BEGIN CERTIFICATE-----
> MIICPDCCAaUCEDyRMcsf9tAbDpq40ES/Er4wDQYJKoZIhvcNAQEFBQAwXzELMAkGA1UEBhMC
> VVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQ
> cmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2MDEyOTAwMDAwMFoXDTI4MDgw
> MjIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYD
> VQQLEy5DbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGf
> MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ
> 2RHP7gJYHyX3KqhEBarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaO
> IG+YD/isI19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
> CSqGSIb3DQEBBQUAA4GBABByUqkFFBkyCEHwxWsKzH4PIRnN5GfcX6kb5sroc50i2JhucwNh
> kcV8sEVAbkSdjbCxlnRhLQ2pRdKkkirWmnWXbj9T/UWZYB2oK0z5XqcJ2HUw19JlYD1n1khV
> dWk/kfVIC0dpImmClr7JyDiGSnoscxlIaU5rfGW/D/xwzoiQ
> -----END CERTIFICATE-----
>
> /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
> -----BEGIN CERTIFICATE-----
> MIICPDCCAaUCEDyRMcsf9tAbDpq40ES/Er4wDQYJKoZIhvcNAQEFBQAwXzELMAkGA1UEBhMC
> VVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQ
> cmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2MDEyOTAwMDAwMFoXDTI4MDgw
> MjIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYD
> VQQLEy5DbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGf
> MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ
> 2RHP7gJYHyX3KqhEBarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaO
> IG+YD/isI19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
> CSqGSIb3DQEBBQUAA4GBABByUqkFFBkyCEHwxWsKzH4PIRnN5GfcX6kb5sroc50i2JhucwNh
> kcV8sEVAbkSdjbCxlnRhLQ2pRdKkkirWmnWXbj9T/UWZYB2oK0z5XqcJ2HUw19JlYD1n1khV
> dWk/kfVIC0dpImmClr7JyDiGSnoscxlIaU5rfGW/D/xwzoiQ
> -----END CERTIFICATE-----
>
> /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. 
> - For authorized use only/CN=VeriSign Class 3 Public Primary Certification 
> Authority - G5
> -----BEGIN CERTIFICATE-----
> MIIE0DCCBDmgAwIBAgIQJQzo4DBhLp8rifcFTXz4/TANBgkqhkiG9w0BAQUFADBfMQswCQYD
> VQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDMgUHVi
> bGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDYxMTA4MDAwMDAwWhcN
> MjExMTA3MjM1OTU5WjCByjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMu
> MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBW
> ZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp
> U2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0g
> RzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1nmAMqudLO07cfLw8
> RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbext0uz/o9+B1fs70PbZmIVYc9g
> DaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIzSdhDY2pSS9KP6HBRTdGJaXvHcPaz3BJ0
> 23tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQGBO+QueQA5N06tRn/Arr0PO7gi+s3i+z016zy9vA9
> r911kTMZHRxAy3QkGSGT2RT+rCpSx4/VBEnkjWNHiDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MU
> CH7lP59zuDMKz10/NIeWiu5T6CUVAgMBAAGjggGbMIIBlzAPBgNVHRMBAf8EBTADAQH/MDEG
> A1UdHwQqMCgwJqAkoCKGIGh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA4GA1Ud
> DwEB/wQEAwIBBjA9BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93
> d3cudmVyaXNpZ24uY29tL2NwczAdBgNVHQ4EFgQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwbQYI
> KwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQUj+XTGoas
> jY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVyaXNpZ24uY29tL3ZzbG9nby5naWYw
> NAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC52ZXJpc2lnbi5jb20w
> PgYDVR0lBDcwNQYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYJYIZIAYb4QgQBBgpg
> hkgBhvhFAQgBMA0GCSqGSIb3DQEBBQUAA4GBABMC3fjohgDyWvj4IAxZiGIHzs73Tvm7WaGY
> 5eE43U68ZhjTresY8g3JbT5KlCDDPLq9ZVTGr0SzEK0saz6r1we2uIFjxfleLuUqZ87NMwwq
> 14lWAyMfs77oOghZtOxFNfeKW/9mz1Cvxm1XjRl4t7mi0VfqH5pLr7rJjhJ+xr3/
> -----END CERTIFICATE-----
>
> /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at 
> https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International Server 
> CA - G3
> -----BEGIN CERTIFICATE-----
> MIIGKTCCBRGgAwIBAgIQZBvoIM4CCBPzLU0tldZ+ZzANBgkqhkiG9w0BAQUFADCByjELMAkG
> A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBU
> cnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZvciBh
> dXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQ
> cmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwHhcNMTAwMjA4MDAwMDAwWhcN
> MjAwMjA3MjM1OTU5WjCBvDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMu
> MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1
> c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDE2MDQGA1UEAxMtVmVy
> aVNpZ24gQ2xhc3MgMyBJbnRlcm5hdGlvbmFsIFNlcnZlciBDQSAtIEczMIIBIjANBgkqhkiG
> 9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmdacYvAV9IGaQQhZjxOdF8mfUdzasVLv/+NB3eDfxCjG
> 4615HycQmLi7IJfBKERBD+qpqFLPTU4bi7u1xHbZzFYG7rNVICreFY1xy1TIbxfNiQDk3P/h
> wB9ocenHKS5+vDv85burJlSLZpDN9pK5MSSAvJ5s1fx+0uFLjNxC+kRLX/gYtS4w9D0SmNNi
> BXNUppyiHb5SgzoHRsQ7AlYhv/JRT9CmmTnprqU/iZucff5NYAclIPe712mDK4KTQzfZg0Eb
> awurSmaET0qO3n40mY5o1so5BptMs5pITRNGtFghBMT7oE2sLktiEuP7TfbJUQABH/weaoEq
> OOC5T9YtRQIDAQABo4ICFTCCAhEwEgYDVR0TAQH/BAgwBgEB/wIBADBwBgNVHSAEaTBnMGUG
> C2CGSAGG+EUBBxcDMFYwKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9j
> cHMwKgYIKwYBBQUHAgIwHhocaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYTAOBgNVHQ8B
> Af8EBAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAHBgUr
> DgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVyaXNpZ24uY29t
> L3ZzbG9nby5naWYwNAYDVR0lBC0wKwYIKwYBBQUHAwEGCCsGAQUFBwMCBglghkgBhvhCBAEG
> CmCGSAGG+EUBCAEwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC52
> ZXJpc2lnbi5jb20wNAYDVR0fBC0wKzApoCegJYYjaHR0cDovL2NybC52ZXJpc2lnbi5jb20v
> cGNhMy1nNS5jcmwwKAYDVR0RBCEwH6QdMBsxGTAXBgNVBAMTEFZlcmlTaWduTVBLSS0yLTcw
> HQYDVR0OBBYEFNebfNgioBX33a1fzimbWMO8RgC1MB8GA1UdIwQYMBaAFH/TZafC3ey78DAJ
> 80M5+gKvMzEzMA0GCSqGSIb3DQEBBQUAA4IBAQBxtX1zUkrd1000Ky6vlEalSVACT/gvF3Dy
> E9wfIYaqwk98NzzURniuXXhv0bpavBCrWDbFjGIVRWAXIeLVQqh3oVXYQwRR9m66SOZdTLdE
> 0z6k1dYzmp8N5tdOlkSVWmzWoxZTDphDzqS4w2Z6BVxiEOgbEtt9LnZQ/9/XaxvMisxx+rNA
> VnwzeneUW/ULU/sOX7xo+68q7jA3eRaTJX9NEP9X+79uOzMh3nnchhdZLUNkt6Zmh+q8lkYZ
> GoaLb9e3SQBb26O/KZru99MzrqP0nkzKXmnUG623kHdq2FlveasB+lXwiiFm5WVu/XzT3x7r
> fj8GkPsZC9MGAht4Q5mo
> -----END CERTIFICATE-----
>
> /C=IT/ST=Milano/L=Milano/O=Universita' degli Studi di Milano/OU=Div. 
> Telecomunicazioni/OU=For Intranet Use Only/CN=eduroam
> -----BEGIN CERTIFICATE-----
> MIIFcjCCBFqgAwIBAgIQQ3g0RHN6vi4+16Ul5gpYYjANBgkqhkiG9w0BAQUFADCBvDELMAkG
> A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBU
> cnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVy
> aXNpZ24uY29tL3JwYSAoYykxMDE2MDQGA1UEAxMtVmVyaVNpZ24gQ2xhc3MgMyBJbnRlcm5h
> dGlvbmFsIFNlcnZlciBDQSAtIEczMB4XDTEzMDMxODAwMDAwMFoXDTE1MDMxOTIzNTk1OVow
> ga4xCzAJBgNVBAYTAklUMQ8wDQYDVQQIEwZNaWxhbm8xDzANBgNVBAcUBk1pbGFubzEqMCgG
> A1UEChQhVW5pdmVyc2l0YScgZGVnbGkgU3R1ZGkgZGkgTWlsYW5vMR8wHQYDVQQLFBZEaXYu
> IFRlbGVjb211bmljYXppb25pMR4wHAYDVQQLFBVGb3IgSW50cmFuZXQgVXNlIE9ubHkxEDAO
> BgNVBAMUB2VkdXJvYW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD1ONCQHA+X
> d0cQM6EeAS5MJicKCi25kdYeQDAJgZY8L6TbaRsbusvPjd0GjpmSWh7Bo2D/dV/NH2XgbVC0
> BJ8NjNNXxdQU5yOIUWi7QFqkThB9tbjc4OfedXZHxP6Q79iGFF52kT4w+KcdF2mAb9x42LTz
> JLQRD1w4gnq67Du/Ccl/9g8i5BJWX7biANdPQ9SqILr3nGpZLAdaowqeHLAJsBIPbLhh9u5n
> V4umGF6tf4JbzSrYd38qf/77PWsMX6BTr9MOXXuxuW39DdG4AJ71AgGMPO4iPbGw31BoosnJ
> SRrOtQn+/0Lo2ITaqzsRrKYA1qk0S/LU3b2O82MkmNHtAgMBAAGjggF6MIIBdjASBgNVHREE
> CzAJggdlZHVyb2FtMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgWgMCgGA1UdJQQhMB8GCCsG
> AQUFBwMBBggrBgEFBQcDAgYJYIZIAYb4QgQBMEMGA1UdIAQ8MDowOAYKYIZIAYb4RQEHNjAq
> MCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3BzMB8GA1UdIwQYMBaA
> FNebfNgioBX33a1fzimbWMO8RgC1MEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9TVlJJbnRs
> LUczLWNybC52ZXJpc2lnbi5jb20vU1ZSSW50bEczLmNybDByBggrBgEFBQcBAQRmMGQwJAYI
> KwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlzaWduLmNvbTA8BggrBgEFBQcwAoYwaHR0cDov
> L1NWUkludGwtRzMtYWlhLnZlcmlzaWduLmNvbS9TVlJJbnRsRzMuY2VyMA0GCSqGSIb3DQEB
> BQUAA4IBAQBafSU9pgfmW0hM3ub58qw/SFRHciyGi7GMNsdkGACMZ3vwtikwjicmfoLIagrL
> AOwd3aq6Vf42P7/9BVB9W+07nmK4OZRTiI94Ax1tMpX7FCxSJrPZjKOiCifRZFmPO1g9w206
> RrcGkVOIt2zD/yPIukL1eFUTyuOjZbNl7IR7xa8s02M7b8Q3FBj9uYJQFkn4lIJLGy7/ZO08
> N3yGu7ONP2Kc8E9dNlK6CnAbzKSEwkXTbhK2pDIqfh03/BMHPHCdoS+a6ZqvooUrJnYHQA6Z
> 925SEGjX5EL0rh9HKYQEhPQej9I7Mjaym3OBnXuf/+m8dPil9yMb+37CrVnawueP
> -----END CERTIFICATE-----
>
>
>
> you seem to have a duplicate certificate in the chain (the first 2 are 
> identical)...and
> that cert is not one that you've added to your profile it seems... 
> (/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority) 
> ..the 3rd
> cert you have added to your profile doesnt appear, at quick inspection, to 
> be in 
> the certificate presented by your RADIUS server....and the last one 
> presented
> by your RADIUS server doesnt appear to be in your profile.
>
> what RADIUS platform?  If e.g. FreeRADIUS, you can just copy the cert file 
> you serve
> out from that server into your CAT profile (well, save file, upload it!). 
> ensure
> your certs are in the order that they need to be - the closest to the 
> server first..then
> first intermediate etc etc until the final one which is root. if you load 
> the RADIUS
> server cert 'eduroam' into an SSL validation system you'll see the chain
> and required cert trust  (look at the cert on Windows as the default cert 
> viewer
> is quite useful.
>
> in fact...if i just add that first cert to the list of certs you provide in 
> your
> profile chain then it validates fine!  (if I dont add that, duplicated, 
> cert, then it fails eg
>
> openssl verify -verbose -purpose sslserver -CAfile cert_test.der cert5.der 
> cert5.der: OK
>
>
> thats how it should be...... but with your provided chain I have
>
> openssl verify -verbose -purpose sslserver -CAfile cert_test.der cert5.der 
> cert5.der: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 
> VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary 
> Certification Authority - G5
> error 2 at 2 depth lookup:unable to get issuer certificate
>
>
> alan
>

-- 
Tomasz Wolniewicz    
  
twoln AT umk.pl
     http://www.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication
                                      Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750  fax: +48-56-622-1850 tel kom.: +48-693-032-576