The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Daniele Albrizio <albrizio AT units.it>]

On 19/02/2018 10:58, Francesco Malvezzi wrote:
> Hi all,
>
> I'm in need to change the freeradius' certificate and the issuing CA.
>
> I would like to minimise users' inconveniences: what is the suggested path to
> handle this event?
>
> For example: wanting to avoid users to download CAT all together, might it
> work adding newer CA (not yet in use) to CAT profile already now?
>
> thank you,
>
> Francesco
> To unsubscribe, send this message: 
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

Hi,
I don't think there is a smooth migration path, nevertheless I can tell 
you the steps we did in order to ease the passage.

1. Create a CAT profile for Android devices using old certificates 
(AFAIK Android does not accept multiple CAs in a network profile. Maybe 
latest releases do?)

1a. Create a default profile including both CA chains (Seems that 
intermediate CA alone should be the way but I used the full CA chain 
since I did not have time to check each device-type compatibility)

1b. Let a year pass (suggestion)

2. Notice all android users about the date of the switchover

3.------------- Certificate switchover --------------

3a. Repack Android installer using the new CA certificates

4.  Repack default installer purging the old CA

Hope it helps.

--
Daniele ALBRIZIO - 
daniele.albrizio AT units.it
         Tel. +39-040.558.3319
  UNIVERSITY OF TRIESTE - Network Services
     Unita' di Staff Reti di Ateneo
via Alfonso Valerio, 12 I-34127 Trieste, Italy

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature