cat-users AT
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Stefan Winter <stefan.winter AT>
- To: Hunter Fuller <hf0002 AT>
- Cc: cat-users AT
- Subject: Re: [[cat-users]] "Can't connect to this network" in Windows 10
- Date: Wed, 10 Jul 2019 07:47:39 +0200
- Autocrypt: addr=stefan.winter AT; prefer-encrypt=mutual; keydata= mQINBFIplEwBEADTSz+DS8nio+RSvfSLLfaOnCGi1nqpn8Pb1laVUyEvnAAzZ5jemiS88Gxf iDH6hUGlWzcaW0hCfUHGiohr485adbjxRksPngWgAt/1bRxpifsW3zObFjgog01WWQV5Sihl wc4zr8zvYbFA5BJZ6YdkR9C5J015riv5OS30WTjA65SSXgYrb7zJWPwmegTFwE093uBFvC39 waz3xYpVu5j87nO6w2MVQt/8sY2/2BFPEq+xfOajl18UEwc7w8SCgnZdlVNcmEK4UBvJuwS/ 1lsR2JeQa8Gu1EDxC7PRgMgNXsDSWnnBe9aVmfG54+6ILe1QH2dwk9sPBQT5w2+vjijrb3Dv 9ur+1kN+TNU2XE436jVpnnY/3OsLdix30STQn4Q/XOm7YoVMeDwwviefilRxzK0dXA+wKj92 T68Od82CFxuZqPAgBCVmWfQM91iK9piqFK+QP+R3vF6+NGDBdwbe68iVKs0v5L8XmbxBQndj pmo+lo2asmBR2TAIfZHaKdgtBw13u3GPVVKlg/Mpko8ki9JOSem2aFyi3kQEVKptWgXT3POl 97DWJzsR5VyKz6GOx9kJAEISRyLZwm0wqh8+9LCza5oeIKW381lzq1b9x30vOh8CBSQQJ+cG 9ko0yPHAj7Suw2TmPXx1qMctmE6Ahq82ZW30SljdZby8WQuR2wARAQABtDxTdGVmYW4gV2lu dGVyIChSRVNURU5BIGtleSAyMDEzKykgPHN0ZWZhbi53aW50ZXJAcmVzdGVuYS5sdT6JAjkE EwECACMFAlIplEwCGwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRDA3mo1ijncZj7/ D/99hVS+mJr8dSPCaDaUFFxBiT2eI1LoR8VKEerTCRw5BsdL6pN2eRJZ9NmsqWo1ynWVHEzO 91bNZ+oZGgyoNohcBAI7p+r0qUTzkyqwdZO4kMm0pqKoM9xkP3tf2mjGujKjOz4Y7S7wnz2Z FokeUsecoRVJF/++/qHnmeWLn44J1HUKLHYCjMu+QXGOgGXgz024jQ5eUrnPwzNp0Z90AFVH lWC+bymty/ToIUUCQqS5Ff0jzdWLd8U695OG9iGvjBQT1LdEjsfbAwuKV5UcnpxNqUpUwKa5 9hdX5/2cMZP07FI1UXwnBlxa8rJfdb13FLjSKX4vUUHedYUZMjMPgcwl1a+zGE22lHiSQWgP 8QLA/W3BLsi22ERCEPZBfexOeOtaWIItDIz18fIaQoMDoRPshzar0JI2CzLYsyeKySAtYJEH FVoLmMvhkwzBmgqA/BEswUA67CfCr1jFHRXdpmWM7YkyAmMa9q6LwquWKS5+MXlUXe/3oZUc gpw/T9Uuy3Jo3RdS7B3jFcWaVr6KsO/A9u1gr/aYn5M+iJTQSj4vzqtkQaJTpSspRZoKa66H Zt3IwSYiDiYZqtM83ynuj9kjnZzGfnuTaNIi996q6Mptr33mOzIE1wmMqnJYwTr3EcNtf483 q/qrJwh5ES8Q9xY7aat/ZcSl8fKubW4TlfVr8bkCDQRSKZRMARAAvBPpn7FQq7LQ5glohtbL 6XIEo1U4X67S0TzUYieENSWSVYuWYIhCBldmWdmH8Bpj/qHeqdon7v+SLtR4WngzMR9toupK cFfHnbP9kpazTSB2ySHxXWGX1gJOpPXdCcg9iveKBHEsDn00ThTcPsvtXpnnzET16pXIvOXO 0bxTmVZ4INIF1SWgvYma/g8kBbgXLpkj8tOywBqFiiYPEZlDeCxDHiMgUDh6olda9K/0TZFT dMPUgjKuubfAeaDNCOrVt4RjmFOaRLikcZocmgJhm3z/j25x7/mnNu+0di1H/S67YGQJ+pqC FInzIXDx7aRW2+JCiqsY2X3xOPWZZzjyis5SNnfOcPH3gt2hYz1fy+thsBGf4NgCN01JRqIJ 2/MOQCgUdwh+9l8xqaJvCkUHM4hVh4W62MAe1u7UEqQbvvNEqxM5034vcvlE+/LRkrDCspw+ 2YJ9QyroLerVRwW5DVleP8Ifi8VB3yD80nqXYs9aqRy0BkDNIQ43ERhESMt8dJqrNkxgC6pe mZrhNwyDh+hy2kPNGQh/iBpdKuH1o3E24TIZoV2v3YHvzob7aAYHddE/PofAXhJW7I9mAs+H dWDmnI8ckuPDFpFH+Y/BFGvEXgcnJAJ1wEvf+4LuiIi0MHjR4EWFn9vvoFDAIqD10h3FSd3D 59HGtdSsNn4XaCsAEQEAAYkCHwQYAQIACQUCUimUTAIbDAAKCRDA3mo1ijncZhBtEACL036d djc5pFoYIdoUY1vT8SMXJNquewCnL1quDADzqDZFU5GNlQEy10krSfBwlTb9ahTtE0JFrOdZ wUZtoa1Pgfr8nU6KOgrXPHbNjS/9dyc5CwGVVIpOavIm2CsMVDJ9LCF/NT+u/t1k6eGfHhPV l3dUQyDa/lzc1chKUIVQYQkFmr0A/iXP+29lFCaI+IeyU0bSdZhezDwUROn5vEx+fiPZyHDS hCb+BxJv/o2LQp9JHenCiSbO+ioRZdxgbWfoKBuXOfmSStqMWXas/gZ5vS3xq72LNtKPRxgp jX3P8Zml1XDqpcBau7eK75VKE0Yd06YxnUIsbcEzInUc3uzW/u0DFpXYkMJb0XIvJyUt5yYP KfV13N8kSkPi5pLxm8yuftXMzfgeFMR7nafY3glTVj/TxElzg6xeZNqfC2ZjIbBtZg9ylHU8 u8wwB+dX282crs0R3N9A064C71/cXlBqcjzjlKH2NUIWGxr+od3TXFIFjszSU3NgMPKrWNhF LLwS81MpbkOe73s6aDhS8RDyNucoxtKXriLR+4Xiu4+pyj5ukYP1JqpB3ZobY/XZgCnJMye+ 7xeTpIDJ1LPORxM3NNAElyb26lxAK2P+km+EpI0Zzz6rNSCfg5jYQ474+e/GBgaSG4MlaPoZ +XAfN46u1Xjjv1/AkkA4IA6m5zP5og==
- Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=
sorry, I must have gotten lost in the forest of variants how to reach a
I believe the correct thing to say is that the intermediate you have -
USERTrust RSA Certification Authority - CAN be chained up to a root but
SHOULD NOT: there is an alternative version of that CA which is itself a
I found out about this only by a SSL cert observatory. It lists your
intermediate as an intermediate just fine:
but with the comment: "If you are looking for the root version of this
certificate, you can find it here.":
So, you should probably upload that latter root version of "USERTrust
RSA Certification Authority" instead of the intermediate variant.
That should work much better.
But note that this is not really a CAT problem, and InCommon cert
service support would be able to advise you on the correct use of
InCommon cert chains much better than I can. I'm surprised that the info
about this alternative root is not on that same wiki page.
Stefan Winter
Am 09.07.19 um 22:10 schrieb Hunter Fuller:
> Stefan,
> I clicked the letters "DER" next to "USERTrust Secure" and uploaded
> only that certificate. CAT still shows the message.
> --
> Hunter Fuller
> Router Jockey
> VBH Annex B-5
> +1 256 824 5331
> Office of Information Technology
> The University of Alabama in Huntsville
> Network Engineering
> On Thu, Jun 13, 2019 at 1:36 AM Stefan Winter <stefan.winter AT>
> wrote:
>> Hello,
>> sorry for the late reply.
>> You have probably uploaded the intermediate CA, not the root one. The
>> root CA is required while intermediates are optional.
>> You can find the root CA on the web page I mentioned earlier:
>> There is a link [DER] besides the "USERTrust Secure". The root CA cert
>> is behind that link.
>> Greetings,
>> Stefan Winter
>> Am 29.05.19 um 22:41 schrieb Hunter Fuller:
>>> Stefan,
>>> Thank you so much for the info. It makes perfect sense. I totally
>>> failed to find that mailing list post myself.
>>> I have input those two certs, though, and CAT is showing this message:
>>> "Information needed! CA Certificate File"
>>> It's acting like I have no root loaded - but the only other root I
>>> could load is the AddTrust one, which seems to be the source of our
>>> problems.
>>> Where can I find the root for the recommended chain?
>>> --
>>> Hunter Fuller
>>> Router Jockey
>>> VBH Annex B-5
>>> +1 256 824 5331
>>> Office of Information Technology
>>> The University of Alabama in Huntsville
>>> Network Engineering
>>> On Tue, May 21, 2019 at 1:41 AM Stefan Winter <stefan.winter AT>
>>> wrote:
>>>> Hello,
>>>>> I have a new Windows 10 machine that will connect to eduroam just fine
>>>>> if I verify our cert's fingerprint manually, instead of using CAT.
>>>>> When I install CAT, the network configuration is added, but as soon as
>>>>> I click Connect, "Can't connect to this network" is displayed under
>>>>> the SSID name in the menu.
>>>>> Does anyone have any tips for collecting data about why the failure is
>>>>> happening? Since I am also one of our realm administrators, I was able
>>>>> to look on our RADIUS server logs. The client is sending what it calls
>>>>> a "TLS alert message" and thus the connection is rejected.
>>>>> I know I have loaded our root and intermediates correctly because the
>>>>> CAT works fine on other OSes (iOS and Linux are the ones I have access
>>>>> to, and have tried).
>>>>> Is there any place in Windows I can find more information about why
>>>>> it's failing, or is there anywhere else I can check? Any pointers
>>>>> would be appreciated.
>>>> You are using an InCommon server certificate and have specified AddTrust
>>>> as the root certificate.
>>>> There are Windows-internal issues with that. Please review this list
>>>> post:
>>>> and the InCommon wiki page detailing the expected chain to a root
>>>> certificate:
>>>> The chain should be:
>>>> USERTrust Secure [DER]
>>>> InCommon RSA Server CA [DER] [PEM]
>>>> End-Entity Certificate
>>>> The chain you use, while technically correct, isn't liked by Windows in
>>>> some circumstances. That same wiki page links to that deprecated one as
>>>> "Comodo's version of the chain"; the solution is to use the USERTrust
>>>> version as outlined above.
>>>> Also note that "Comodo's version of the chain" becomes entirely defunct
>>>> in almost exactly one year from now because the root cert expires May 30
>>>> 10:48:38 2020 GMT. I.e. you have every reason to switch to the alternate
>>>> reality ASAP.
>>>> Greetings,
>>>> Stefan Winter
>>>> --
>>>> Stefan WINTER
>>>> Ingenieur de Recherche
>>>> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
>>>> de la Recherche
>>>> 2, avenue de l'Université
>>>> L-4365 Esch-sur-Alzette
>>>> Tel: +352 424409 1
>>>> Fax: +352 422473
>>>> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
>>>> recipient's key is known to me
>>> To unsubscribe, send this message:
>>> mailto:sympa AT
>>> Or use the following link:
>> --
>> Stefan WINTER
>> Ingenieur de Recherche
>> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
>> de la Recherche
>> 2, avenue de l'Université
>> L-4365 Esch-sur-Alzette
>> Tel: +352 424409 1
>> Fax: +352 422473
>> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
>> recipient's key is known to me
> To unsubscribe, send this message:
> mailto:sympa AT
> Or use the following link:
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette
Tel: +352 424409 1
Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
Description: application/pgp-keys
Description: OpenPGP digital signature
- Re: [[cat-users]] "Can't connect to this network" in Windows 10, Hunter Fuller, 07/09/2019
- Re: [[cat-users]] "Can't connect to this network" in Windows 10, Stefan Winter, 07/10/2019
- Re: [[cat-users]] "Can't connect to this network" in Windows 10, Stefan Winter, 07/10/2019
- Re: [[cat-users]] "Can't connect to this network" in Windows 10, Hunter Fuller, 07/10/2019
- Re: [[cat-users]] "Can't connect to this network" in Windows 10, Stefan Winter, 07/10/2019
Archive powered by MHonArc 2.6.19.