cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Tomasz Wolniewicz <twoln AT umk.pl>
- To: cat-users AT lists.geant.org
- Subject: Re: [[cat-users]] wildcard certificates supported?
- Date: Thu, 16 Feb 2017 12:51:22 +0100
Hi,
Actually this may be a problem indeed. Windows has a strange approach
to regular expressions in certificate names.
We did have a discussion about that on the list a long time ago and I
have even started implementing something but then gave ups as it
generally seems that wildcard certificates are not a great idea and
people do not really use them.
At this point I do not remember more details.
Tomasz
W dniu 2017-02-16 o 12:43, Jose Manuel Macias Luna pisze:
> Hi,
>
> I'm not sure about this, but surely Tomasz, Alan or Stefan can give an
> appropriate answer.
>
> One of our institutions is using a wildcard certificate for their radius
> server (with CN *.someidp.tld), and that's what they have configured in
> eduroam CAT admin interface. This institution in particular is having
> problems with installers for win8 and win10, and the only thing
> suspicious I see in their profile is the wildcard certificate.
>
> I have been having a look to the admin guide and says nothing about this
> particular case:
>
> «The name of your server as specified in the Common Name (CN) of your
> EAP server certificate»
>
> https://wiki.geant.org/display/H2eduroam/A+guide+to+eduroam+CAT+for+institution+administrators#AguidetoeduroamCATforinstitutionadministrators-Institution-wideSettings
>
> I do have found some text (I think from Stefan?) in the "EAP Server
> Certificate Considerations" article:
>
> server name not a wildcard name (e.g "*.someidp.tld") Some
> supplicants
> exhibit undefined/buggy behaviour when attempting to parse incoming
> certificates with a wildcard. Windows 8 and 8.1 are known to choke on
> wildcard certificates.
>
> https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+considerations
>
> So my question is... is this accepted by all the clients configured by
> CAT, or would some of them only admit somename.someidp.tld?
>
> If so, I think we should maybe issue a warning at the CAT web interface
> for admins, and/or update the admin guide to reflect this.
>
>
> Thanks in advance,
>
> Jose Manuel.
> To unsubscribe, send this message:
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link:
> https://lists.geant.org/sympa/sigrequest/cat-users
--
Tomasz Wolniewicz
twoln AT umk.pl
http://www.home.umk.pl/~twoln
Uczelniane Centrum Informatyczne Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University,
pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.: +48-693-032-576
Attachment:
smime.p7s
Description: Kryptograficzna sygnatura S/MIME
- [[cat-users]] wildcard certificates supported?, Jose Manuel Macias Luna, 02/16/2017
- Re: [[cat-users]] wildcard certificates supported?, Tomasz Wolniewicz, 02/16/2017
Archive powered by MHonArc 2.6.19.