The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Tomasz Wolniewicz <twoln AT umk.pl>]

CRL distribution point is not set in the root cert but in the
certificates it issues, therefore the server cert in your case.
Indeed you should have this set in the server cert. Some clients get
fussy about that even if they make no use of this information.

Tomasz


W dniu 07.04.2016 o 15:07, Morris, Andi pisze:
> "CRLDP defined point in root CA might be the only issue - if you dont have 
> one then some clients arent going to work"
>
>  - Looking at the current Root cert properties I can't see one of these at 
> the moment. I'll look to add this in if we move to a SHA256 or higher root 
> cert in the future.
>
> I appreciate this has crept out of the cat-users topic now so I'm happy to 
> leave this. Thanks everyone for the advice.
>
> Cheers,
> Andi
>
> -----Original Message-----
> From: 
> A.L.M.Buxey AT lboro.ac.uk
>  
> [mailto:A.L.M.Buxey AT lboro.ac.uk]
> Sent: 07 April 2016 13:39
> To: Morris, Andi 
> <amorris AT cardiffmet.ac.uk>
> Cc: 
> cat-users AT lists.geant.org
> Subject: Re: [[cat-users]] SHA1 sunsetting
>
> Hi,
>
>>    So, looking at that setup it doesn't matter that my root cert is SHA1, 
>> but
>>    we'll likely hit issues if the server cert is SHA1. However as that's 
>> not
>>    setup on the user devices I would guess that if I use the same root CA 
>> to
>>    create a new SHA256 server certificate with the same common name and 
>> tell
>>    the radius server to send that instead it would be transparent to users?
> pretty much - certainly until clients get fussy about SHA1 root CAs...  
> however, any eg iOS devices that were 'setup' by the user just joining 
> eduroam SSID and putting in their user/pass will get a verification check 
> warning as the device uses the server fingerprint as part of the local 
> profile.... but this is the eduroam CAT list so want affect eduroamCAT 
> configured devices.
>
> so same common name - and SAN too (for greater client compatibility) - 
> CRLDP defined point in root CA might be the only issue - if you dont have 
> one then some clients arent going to work
>
> alan
> ________________________________
>
> [Cardiff Metropolitan University - 150 years of nurturing 
> talent]<http://www.cardiffmet.ac.uk/cardiffmet150>
> To unsubscribe, send this message: 
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link: 
> https://lists.geant.org/sympa/sigrequest/cat-users

-- 
Tomasz Wolniewicz    
          
twoln AT umk.pl
        http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne       Information&Communication Technology 
Centre
Uniwersytet Mikolaja Kopernika         Nicolaus Copernicus University,
pl. Rapackiego 1, Torun                pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: +48-693-032-576