The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hello,

you can upload the new and old CA simultaneously to CAT. On all
supported client OSes, both will be installed and both will be marked
trusted.

It's a very good idea to do this as early as possible so that every
newly configured user gets the new certificate ahead of time. They will
then not even notice the change of server cert from old to new trust root.

There is only one fraction of CAT-supported client OSes which does not
support multiple root CAs: Android versions < 7.1.

For those, only one CA will be installed (I don't recall the ordering in
the CAT interface; to be sure you could create a profile just for
Android and only load the desired one into that profile).

Android 7.1 finally got its support for multiple CAs and I think the app
already supports that (Gareth to correct me if I'm wrong).

But we all know the update situation on Android and it is thus naive to
think that this problem will wither out in anything less than five
years. :-( I'm afraid there's little we can do about it.

Greetings,

Stefan Winter

Am 05.01.2017 um 09:05 schrieb Scott Johnson:
> Our two radius servers running MS NPS 2012R2 will renew their
> certificates in the next 30 days.  These are certificates issued by our
> private root CA (MS Certificate Authority 2012R2) – private root CA
> expiration date 2018
> 
>  
> 
> Are any changes needed for eduroam & the CAT installer?
> 
>  
> 
> Also our private root CA certificate will need to be renewed in the
> beginning of 2018. How does that effect eduroam & CAT?  I know I would
> have to update the root CA certificate on the CAT installer package, but
> can I put the old & new in there at the same time?
> 
>  
> 
> If it’s a big issue I would prefer to get in front of it sooner than
> later…  Our Fall class (September start)  is always the biggest so if
> things need to happen it would be best to do it before the fall class
> and prepare everyone else with months of warning since the students
> don’t actually read emails….
> 
>  
> 
>  
> 
> On a side note I want to ALSO move both the NPS servers & the
> Certificate Authority server to Windows Server 2016.anyone have
> experience there yet?
> 
>  
> 
>  
> 
> *Scott Johnson*
> 
> *IT Infrastructure Manager *
> 
> Southern California University of Health Sciences
> 
> 16200 Amber Valley Drive, Whittier, CA 90604
> 
> Phone: (562) 902-3347 Mobile: (714) 758-5991
> 
> email_sig
> 
>  
> 
>  
> 
> To unsubscribe, send this message:
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link:
> https://lists.geant.org/sympa/sigrequest/cat-users


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature