The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

["Morris, Andi" <amorris AT cardiffmet.ac.uk>]

"CRLDP defined point in root CA might be the only issue - if you dont have 
one then some clients arent going to work"

 - Looking at the current Root cert properties I can't see one of these at 
the moment. I'll look to add this in if we move to a SHA256 or higher root 
cert in the future.

I appreciate this has crept out of the cat-users topic now so I'm happy to 
leave this. Thanks everyone for the advice.

Cheers,
Andi

-----Original Message-----
From: 
A.L.M.Buxey AT lboro.ac.uk
 
[mailto:A.L.M.Buxey AT lboro.ac.uk]
Sent: 07 April 2016 13:39
To: Morris, Andi 
<amorris AT cardiffmet.ac.uk>
Cc: 
cat-users AT lists.geant.org
Subject: Re: [[cat-users]] SHA1 sunsetting

Hi,

>    So, looking at that setup it doesn't matter that my root cert is SHA1, 
> but
>    we'll likely hit issues if the server cert is SHA1. However as that's not
>    setup on the user devices I would guess that if I use the same root CA to
>    create a new SHA256 server certificate with the same common name and tell
>    the radius server to send that instead it would be transparent to users?

pretty much - certainly until clients get fussy about SHA1 root CAs...  
however, any eg iOS devices that were 'setup' by the user just joining 
eduroam SSID and putting in their user/pass will get a verification check 
warning as the device uses the server fingerprint as part of the local 
profile.... but this is the eduroam CAT list so want affect eduroamCAT 
configured devices.

so same common name - and SAN too (for greater client compatibility) - CRLDP 
defined point in root CA might be the only issue - if you dont have one then 
some clients arent going to work

alan
________________________________

[Cardiff Metropolitan University - 150 years of nurturing 
talent]<http://www.cardiffmet.ac.uk/cardiffmet150>