The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Michele de Varda <michele.devarda AT unimi.it>]

Dear Stefan,

thank you again for your great support.
...

On 08/07/2015 12:52 PM, Stefan Winter wrote:
> Hi,
>
> follow-up: I found both PEMs on the net. I attach them both for convenience.
>  From what VeriSigns website tells me, it seems like the "G5 root"
> variant exists since 2010. Before that, it was an intermediate to the
> "Primary" CA.
>
> When configuring you need to be consistent:
>
> EITHER: define the G5 root variant as the root, and *don't* send the
> intermediate variant during EAP. This is utterly confusing to the client.
In this case  have I to modify the RADIUS certificate putting only
server cert +
intermediate with only Symantec Class 3 Secure Server CA - G4?

On CAT side have I to put only G5 root?

> OR: define the "Primary CA" as the root, and include the G5 intermediate
> variant in CAT config and EAP. Do not send the G5 root variant in the
> EAP conversation then.
I put the "Class 3 Public Primary Certification Authority"  root 
certificate on cat configuration (see attached file 
CAT_certificate_not_working.jpg).
Android seems to work but in the Wi-Fi config I see "certificate not 
specified", Windows 7 doesn't work and when I run cat conf tool I see a 
message that I have never seen with the old confs  (see CAT_message.jpg).
In this case I didn't touch the RADIUS server certificate.

> (in both cases, of course continue to send the G4 intermediate)
>
> This is mostly a mess on VeriSign's side - but you need to be cautious,
> too. "More helps more" does not apply to PKI certificates. You need to
> send a consistent message. Superfluous items are okay (for most client
> devices), but *conflicting ones* are not.
You are right, I hope to not have conflicting items :-)

> Greetings,
>
> Stefan Winter

Thanks a lot,

Michele

Attachment: CAT_certificate_not_working.jpg
Description: JPEG image

Attachment: CAT_message.JPG
Description: JPEG image