The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Matthew Slowe <Matthew.Slowe AT jisc.ac.uk>]

On 23 Apr 2019, at 10:32, Mikael Bak <bak.mikael AT oszk.hu> wrote:

Hi list,

I wonder if there is a way to use Let's Encrypt and automatic cert
renewal with eduroam CAT?

Is it a good idea? Is it even possible?

I’ve been lurking on this list for a while so feel free to take with a pinch of salt.

Any issues with CAT specifically aside, I’m not sure that LE is a sustainable model for eduroam type authentication as you’ve got very little control over when the Root changes. My home-based LE certificates have a Root which expires in September 2021 — so, even if LE continued to use this Root up to the bitter end, the best case would be that users would need to intervene (download a new CAT profile?) before then to maintain service.

That’s then coupled with LE's non-web renewal process still being a bit clunky - needing DNS TXT records in place (and possibly changing?) to renew.

Current thinking is that a local, long-lived Root CA (which could be dedicated to RADIUS authentication) be used and published via CAT then service certificates be issued using that.

There’s a pretty good breakdown of the pros and cons (not specifically for LE) here:

https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+considerations 

Hope that helps (and someone might correct my inaccuracies!)

-- 

Matthew Slowe

Technical Specialist - Trust & Identity

Direct: 07442 097185
Team: 0300 300 2212, option 2
Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG
 
Jisc Trust and Identity Services
UK Access Management Federation - Assent - Certificate Service - Domain Registry and Liberate - fully managed solution for Jisc's access management services

https://jisc.ac.uk/network/trust-and-identity

Attachment: smime.p7s
Description: S/MIME cryptographic signature