Skip to Content.

cat-users - Re: [[cat-users]] Comodo SSL root

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive


Re: [[cat-users]] Comodo SSL root


Chronological Thread 
    < Chronological >      < Thread >
  • From: Stefan Winter <stefan.winter AT restena.lu>
  • To: Andy Gatward <a.j.gatward AT reading.ac.uk>, "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
  • Subject: Re: [[cat-users]] Comodo SSL root
  • Date: Fri, 22 Apr 2016 16:07:58 +0200
  • Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Hi,

> I have just stumbled across an issue with Windows and the handling of
> newly-issued certificates from Comodo. We kept with this route so we
> wouldn’t have to do a mammoth change in profiles for our end users, as
> we believed that everything should still chain back to ‘AddTrust
> External CA Root’. Unfortunately, it seems that Microsoft have decided
> that one of the intermediate certificates, ‘COMODO RSA Certification
> Authority’ is actually the anchor point for the newly-issued server
> certificate.
>
> The CAT tool (correctly) doesn’t acknowledge the RSA CA certificate as a
> root; however this breaks Windows platforms as they don’t believe that
> the correct root, ‘AddTrust External CA Root’ is the anchor point.

Ah, intermediates becoming roots again. This happened with a few CAs
already; I don't know why this popular in CAs.

A possible solution is that you make a fresh download of the now-root
which you used to know as an intermediate - even though the name is
identical, the certificate will actually be different in some aspects.

Then, upload that new root version of it into CAT. Ideally, CAT would
recognise it as a root CA and you can ship profiles with *both* roots
(the old CA, and the new CA).

This only has an effect on future profile consumptions. Devices which
are already configured with the old root (only), will very likely
continue to complain :-(

Another reason to run a private CA.

Greetings,

Stefan Winter


--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature


Archive powered by MHonArc 2.6.19.

Top of Page