Skip to Content.
Sympa Menu

cat-users - Re: [cat-users] CAT certificate trouble

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [cat-users] CAT certificate trouble


Chronological Thread 
  • From: Rob Ansaldo <rlansaldo AT amherst.edu>
  • To: Tomasz Wolniewicz <twoln AT umk.pl>
  • Cc: "cat-users AT geant.net" <cat-users AT geant.net>
  • Subject: Re: [cat-users] CAT certificate trouble
  • Date: Wed, 14 Oct 2015 14:43:39 +0000
  • Accept-language: en-US
  • List-archive: <https://mail.geant.net/mailman/private/cat-users/>
  • List-id: "The mailing list for users of the eduroam Configuration Assistant Tool \(CAT\)" <cat-users.geant.net>

Hi Tomasz,

Thank you for the info. It appears that for some reason the Windows 7
computer is interpreting one of the intermediate certificates as the root
cert and since this is not trusted it does not authenticate properly. If I
uncheck the box for “Do not prompt the user…” I do get the prompt, but the
Root CA in the pop up is not the root, but one of the intermediates (shows
“Root CA: USERTrust RSA Certification Authority” in the popup). The cert
chain should look like this:

AddTrust External CA Root
USERTrust RSA Certification Authority
InCommon RSA Server CA
radius.amherst.edu

AddTrust is set to trusted by CAT, but not USERTrust, yet the computer thinks
USERTrust is the root? Is there a way to have the CAT trust both of these on
Windows? CAT works fine on Mac OS X and iOS 9 devices.



> On Oct 13, 2015, at 5:07 PM, Tomasz Wolniewicz
> <twoln AT umk.pl>
> wrote:
>
> Hi,
> the trust is anchored at the root CA, no intermediates should be
> listed in the selection box.
> The "do not prompt" should be checked so that if a fake eduroam should
> be found, the user should not be tempted to break the security warning
> and connect.
>
> I will test your installers and try to find out what the problem can be.
>
> Tomasz
>
>
> W dniu 13.10.2015 o 22:23, Rob Ansaldo pisze:
>> I don’t know if I am doing something wrong or if this is a side effect of
>> the CAT version 1.1, but we are attempting to update our CAT due to a
>> replacement of our RADIUS server certificate. I have uploaded the cert
>> chain to the CAT admin page and see that it successfully loaded the CA
>> root and both intermediate certificates, but when I run the resulting CAT
>> for Windows 7, the EAP properties page only show the root CA as trusted.
>> One of the intermediates is listed, but not trusted and the other
>> intermediate is not listed at all. The “Do not prompt user to authorize
>> new servers or trusted certificate authorities” box is checked, so the
>> user is not prompted to trust the others in the chain and subsequently
>> fails to connect.
>>
>> Have I uploaded the certificates to the CAT admin page incorrectly, out of
>> order or some other mistake - or could this be a bug in the Windows
>> installer?
>>
>> This above is for inst_id=709.
>
> --
> Tomasz Wolniewicz
>
> twoln AT umk.pl
> http://www.home.umk.pl/~twoln
>
> Uczelniane Centrum Informatyczne Information&Communication Technology
> Centre
> Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University,
> pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland
> tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.:
> +48-693-032-576
>

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail




Archive powered by MHonArc 2.6.19.

Top of Page