The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[David Trill <David.Trill AT Marine.ie>]

That's great Stefan, Thank you very much for the reply. 

-----Original Message-----
From: Stefan Winter 
[mailto:stefan.winter AT restena.lu]
 
Sent: 19 May 2016 08:54
To: David Trill 
<David.Trill AT Marine.ie>;
 
'cat-users AT lists.geant.org'
 
<cat-users AT lists.geant.org>
Subject: Re: [[cat-users]] help with error

Hi,

> Thank you for the reply. Our cert is self-signed by our own CA. Would this 
> mean I cannot create installers? It's not a big deal if I can't, I can 
> create the profile manually for our users. I've attached the cert for you.

You can use CAT alright: you just need to upload the cert of the issuing
*CA* - not the server cert.

I.e. the cert with the name

Subject: DC=ie, DC=Marine, CN=mica

However, looking at the server cert you attached, you will not have much luck 
with contemproary client operating systems. The server cert is still signed 
with SHA-1 which is not acceptable on many OSes any more.

Your CA can issue a new server cert though, this time signing with SHA-256.

Once the CA is in the system, you can also run a comprehensive set of checks 
against your cert chain with the "Check realm reachability"
button. These checks warn, among others, of SHA-1.

Greetings,

Stefan

--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la 
Recherche 2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's 
key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66