The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hi,

follow-up: I found both PEMs on the net. I attach them both for convenience.
From what VeriSigns website tells me, it seems like the "G5 root"
variant exists since 2010. Before that, it was an intermediate to the
"Primary" CA.

When configuring you need to be consistent:

EITHER: define the G5 root variant as the root, and *don't* send the
intermediate variant during EAP. This is utterly confusing to the client.

OR: define the "Primary CA" as the root, and include the G5 intermediate
variant in CAT config and EAP. Do not send the G5 root variant in the
EAP conversation then.

(in both cases, of course continue to send the G4 intermediate)

This is mostly a mess on VeriSign's side - but you need to be cautious,
too. "More helps more" does not apply to PKI certificates. You need to
send a consistent message. Superfluous items are okay (for most client
devices), but *conflicting ones* are not.

Greetings,

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: unimi-intermediate-VeriSign-Class 3-Public-Primary-Certification-Authority-G5.pem
Description: application/pem-file

Attachment: unimi-root-VeriSign-Class 3-Public-Primary-Certification-Authority-G5.pem
Description: application/pem-file

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature