Skip to Content.
Sympa Menu

cat-users - RE: [[cat-users]] SHA1 sunsetting

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

RE: [[cat-users]] SHA1 sunsetting


Chronological Thread 
  • From: "Morris, Andi" <amorris AT cardiffmet.ac.uk>
  • To: "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
  • Subject: RE: [[cat-users]] SHA1 sunsetting
  • Date: Thu, 7 Apr 2016 13:07:45 +0000
  • Accept-language: en-GB, en-US

"CRLDP defined point in root CA might be the only issue - if you dont have
one then some clients arent going to work"

- Looking at the current Root cert properties I can't see one of these at
the moment. I'll look to add this in if we move to a SHA256 or higher root
cert in the future.

I appreciate this has crept out of the cat-users topic now so I'm happy to
leave this. Thanks everyone for the advice.

Cheers,
Andi

-----Original Message-----
From:
A.L.M.Buxey AT lboro.ac.uk

[mailto:A.L.M.Buxey AT lboro.ac.uk]
Sent: 07 April 2016 13:39
To: Morris, Andi
<amorris AT cardiffmet.ac.uk>
Cc:
cat-users AT lists.geant.org
Subject: Re: [[cat-users]] SHA1 sunsetting

Hi,

> So, looking at that setup it doesn't matter that my root cert is SHA1,
> but
> we'll likely hit issues if the server cert is SHA1. However as that's not
> setup on the user devices I would guess that if I use the same root CA to
> create a new SHA256 server certificate with the same common name and tell
> the radius server to send that instead it would be transparent to users?

pretty much - certainly until clients get fussy about SHA1 root CAs...
however, any eg iOS devices that were 'setup' by the user just joining
eduroam SSID and putting in their user/pass will get a verification check
warning as the device uses the server fingerprint as part of the local
profile.... but this is the eduroam CAT list so want affect eduroamCAT
configured devices.

so same common name - and SAN too (for greater client compatibility) - CRLDP
defined point in root CA might be the only issue - if you dont have one then
some clients arent going to work

alan
________________________________

[Cardiff Metropolitan University - 150 years of nurturing
talent]<http://www.cardiffmet.ac.uk/cardiffmet150>



Archive powered by MHonArc 2.6.19.

Top of Page