Skip to Content.

cat-users - [[cat-users]] Bug? Windows installer places bundled certificates in "Run As" user's personal store

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive


[[cat-users]] Bug? Windows installer places bundled certificates in "Run As" user's personal store


Chronological Thread 
    < Chronological >      < Thread >
  • From: Robin Breathe <p0073773 AT brookes.ac.uk>
  • To: eduroam <cat-users AT lists.geant.org>
  • Subject: [[cat-users]] Bug? Windows installer places bundled certificates in "Run As" user's personal store
  • Date: Wed, 22 Feb 2017 16:19:47 +0000
  • Authentication-results: prod-mail.geant.net (amavisd-new); dkim=pass (1024-bit key) header.d=brookes.ac.uk
Hi all,

When you run the Windows CAT installer as a non-admin user, you have to raise your privilege with an admin user's credentials. Unfortunately, this appears to result in any bundled trusted certificates being installed in that admin user's Trusted Root certificate store rather than in either the active user's Trusted Root certificate store or in the system-wide Trusted Root certificate store. As a result, subsequent TLS validation fails as the active user doesn't trust the certificate presented by the ORPS.

Has anyone else seen this issue? Have a workaround?

I'm suspecting the new(?) behaviour may have been introduced by the move from Gareth Ayre's setEAPCred.exe to WLANSetEAPUserData in https://github.com/GEANT/CAT/commit/328a23ad01c39f18d1458a058fcf5901b39278ad, though we moved to a local Root CA around the same time, so it's possible that prior use of a widely trusted CA masked the issue previously.

Regards,
Robin
--
Robin Breathe
Chief Technology Officer, OBIS, Oxford Brookes University – 01865 483685

Archive powered by MHonArc 2.6.19.

Top of Page