The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hello,

> The Realm 'Static connectivity tests' show some issues with our 
> certificates (issued by QuoVadis), stating that the BasicConstaints 
> extension is missing.   
>
> I can't find any issues with this extension missing. RFC 5280 states that 
> it "MAY appear [...] in end entity certificates". But there is no MUST 
> (it's only mandatory for CA certs).

Yes, that's what the RFC states. Unfortunately, real-life software often
goes its own way in interpreting certificates. The RFC also doesn't
require a CA to have a pointer to its CRL Distribution Point; but still
some software barks if it's missing.

This particular extravaganza seems to have been an issue in Mac OS X
10.8; we had a thread on 28 Aug 2013 on this list where the OP tried
many things to get his certificate working, and adding the
"basicConstraints: CA=FALSE (critical)" was the one thing that made his
setup work.

>  Earlier revisions (RFC 2459) even once stated that it "SHOULD NOT appear 
> in end entity certificates".

Once upon a time... Hopefully your server certificate isn't that ancient :-)

>  Further, I could not reproduce the issues described (related to Mac OS X 
> 10.8). My OS X 10.8 test client works perfectly well with this CAT 
> configuration and certificate.

Okay, we added this check because the results from the experimentation
on that thread were rather explicit. I will run a test with Yosemite
(don't have 10.8 handy any more), and see if I can see a problem with
your realm's cert (this is @switch.ch, right?). This will need to wait
until after 01 July though as I'm at a conference right now and have an
important meeting coming up right after that.

Greetings,

Stefan Winter

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature