Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] renew certificate

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] renew certificate


Chronological Thread 
    < Chronological >      < Thread >
  • From: Stefan Winter <stefan.winter AT restena.lu>
  • To: Zaira Ramirez <zaira.ramirez AT unam.mx>, cat-users AT lists.geant.org
  • Subject: Re: [[cat-users]] renew certificate
  • Date: Wed, 9 Aug 2017 07:25:13 +0200
  • Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Hello,

> Hope you are having a great day. My name is Zaira Ramirez and, I'm in
> charge of Eduroam service node at UNAM (Mexico). I'm having some issues
> which I describe bellow and I'm writing you to provide me some hints on
> a possible solution.

Sure thing - but please write to
cat-users AT lists.geant.org
in the future.

> I have a certificate with md5 encryption however the MacOS and iOS
> operating systems do not connect,

That is the situation since many years now indeed.

> I renewed the certificate, using
> sha256 ciphering but, when I upload it to the CAT, this is not being
> updated in the installers. I would like to know how long it takes to
> update? since it has been a week since I uploaded my certificate.

I just went to the public download section of eduroam CAT and got a
macOS installer with a SHA-256 certificate just fine.

What exactly do you mean with "doesn't get updated"? Does it not work in
installed clients maybe?

There is something wrong with your new certificate, and that may well be
the reason. It contains:

X509v3 Basic Constraints:
CA:TRUE

which means the Basic Constraints are NOT marked as "critical". A root
CA must have the "critical" flag in its CA basic constraint.

I typically see this when people use the certificate generation scripts
of an older version of FreeRADIUS - it erroneously did not set critical
until - again - a few years back. Recent versions generate correct CA
certificates with the "critical" extension set.

Greetings,

Stefan Winter

--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature


  • Re: [[cat-users]] renew certificate, Stefan Winter, 08/09/2017

Archive powered by MHonArc 2.6.19.

Top of Page