The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[IAM David Bantz <db AT alaska.edu>]

AddTrust is the root CA but not the issuer of the server cert. 

InCommon/Comodo issued the server cert, and that CA cert is signed by AddTrust.

I'll send the cert chain off-list.

David

On Tue, Nov 6, 2018 at 10:24 PM Stefan Winter <stefan.winter AT restena.lu> wrote:

Hello,

> I thought belatedly to Re-read The Fine Manual
> at https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+considerations
> which does provide some recommended "non-standard" server certificate
> properties, specifically including SubjectAltName (or "SAN") in addition
> to CN, and certificate extension "TLS Web Server Authentication" -
> neither of which our current server certificate has. 
>
> So my working hypothesis is now that we need to get a new server cert
> with those "non-standard" properties added. 

Well, I should re-word that page. Most of the items in that list are
indeed fairly standard, only a few stand out (and then only marginally).

I'm however puzzled by what you write. AddTrust is a commercial CA and
the certificates they produce "typically" tick all the boxes. These days
it's hard to come across a CA which doesn't automatically populate the
CN into a subjectAltName:DNS as well.

Would you mind sending me that certificate off-list? Just the public
certificate, no need for the private key :-)

Stefan

--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66