The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Louis Twomey <louis.twomey AT heanet.ie>]

Hi Rob,
I hit this problem too with a number of Windows machines. The issue is
that the Windows certificate store has an old root certificate with
the same name as the intermediate cert, and anything that uses that
certificate store (wireless client, Internet Explorer, any web browser
that doesn't have a built-in root CA trust list, etc.) chains
incorrectly to that old root cert.

The workaround is to delete or disable that old cert, and chaining
will then work correctly. A "cleaner" fix is to migrate to an SSL cert
with a different chain so that no changes are need on the mobile device.

What I don't understand is why this issue is not more prevalent. It
arises here consistently with various Windows clients but I don't see
or hear many other sites reporting the problem. I've wondered in the
past whether the certificate store on our staff machines is uniquely
"broken" but if that's obviously not the case.

Regards,
Louis.

On 14/10/2015 15:43, Rob Ansaldo wrote:
> Hi Tomasz,
> 
> Thank you for the info. It appears that for some reason the Windows
> 7 computer is interpreting one of the intermediate certificates as
> the root cert and since this is not trusted it does not
> authenticate properly. If I uncheck the box for “Do not prompt the
> user…” I do get the prompt, but the Root CA in the pop up is not
> the root, but one of the intermediates (shows “Root CA: USERTrust
> RSA Certification Authority” in the popup). The cert chain should
> look like this:
> 
> AddTrust External CA Root USERTrust RSA Certification Authority 
> InCommon RSA Server CA radius.amherst.edu
> 
> AddTrust is set to trusted by CAT, but not USERTrust, yet the
> computer thinks USERTrust is the root? Is there a way to have the
> CAT trust both of these on Windows? CAT works fine on Mac OS X and
> iOS 9 devices.
> 
> 
> 
>> On Oct 13, 2015, at 5:07 PM, Tomasz Wolniewicz 
>> <twoln AT umk.pl>
>> wrote:
>> 
>> Hi, the trust is anchored at the root CA, no intermediates should
>> be listed in the selection box. The "do not prompt" should be
>> checked so that if a fake eduroam should be found, the user
>> should not be tempted to break the security warning and connect.
>> 
>> I will test your installers and try to find out what the problem
>> can be.
>> 
>> Tomasz
>> 
>> 
>> W dniu 13.10.2015 o 22:23, Rob Ansaldo pisze:
>>> I don’t know if I am doing something wrong or if this is a side
>>> effect of the CAT version 1.1, but we are attempting to update
>>> our CAT due to a replacement of our RADIUS server certificate.
>>> I have uploaded the cert chain to the CAT admin page and see
>>> that it successfully loaded the CA root and both intermediate
>>> certificates, but when I run the resulting CAT for Windows 7,
>>> the EAP properties page only show the root CA as trusted. One
>>> of the intermediates is listed, but not trusted and the other
>>> intermediate is not listed at all. The “Do not prompt user to
>>> authorize new servers or trusted certificate authorities” box
>>> is checked, so the user is not prompted to trust the others in
>>> the chain and subsequently fails to connect.
>>> 
>>> Have I uploaded the certificates to the CAT admin page
>>> incorrectly, out of order or some other mistake - or could this
>>> be a bug in the Windows installer?
>>> 
>>> This above is for inst_id=709.
>> 
>> -- Tomasz Wolniewicz 
>> twoln AT umk.pl
>> http://www.home.umk.pl/~twoln
>> 
>> Uczelniane Centrum Informatyczne       Information&Communication
>> Technology Centre Uniwersytet Mikolaja Kopernika         Nicolaus
>> Copernicus University, pl. Rapackiego 1, Torun                pl.
>> Rapackiego 1, Torun, Poland tel: +48-56-611-2750     fax:
>> +48-56-622-1850       tel kom.: +48-693-032-576
>> 
> 

-- 
HEAnet Limited                               
louis.twomey AT heanet.ie
5 George's Dock, IFSC, Dublin 1, D01 X8N7    Tel: +353-1-6609040
Web: http://www.heanet.ie                    Fax: +353-1-6603666
Registered in Ireland, no 275301             PGP key: C77D9256

--- Please consider the environment before printing this e-mail ---