Skip to Content.

cat-users - [[cat-users]] unverified profile on iOS 13 + TERENA certificate

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive


[[cat-users]] unverified profile on iOS 13 + TERENA certificate


Chronological Thread 
    < Chronological >      < Thread >
  • From: Jan Reister <Jan.Reister AT unimi.it>
  • To: cat-users AT lists.geant.org
  • Cc: Claudio Lori <claudio.lori AT unimi.it>
  • Subject: [[cat-users]] unverified profile on iOS 13 + TERENA certificate
  • Date: Mon, 03 Feb 2020 12:02:36 +0100
  • Autocrypt: addr=jan.reister AT unimi.it; prefer-encrypt=mutual; keydata= mQINBFnmG3MBEACgH2bVfRUolszzeP4wokLRnfFmbhbcTGdPmTiXDuq+sbmNufvftmVxFCrj JFubtqnUwLmmMgt6S9jmGNymUTHsZ52VGCLSGZYVdUhPhdZSa54XlLeSas2L+g3XLNbNbF5p 3W7+oV/7Ooz6kifJJSlF1WnwwZ+aNidTOOmxhdht4eRrxBKFdRykG+hhGMnxVEvzNkKXLFSq zHzEmFXxkuc55AODaKp98PWIThgMjBHxjy/oS0Y8b3EPMNVaNxvCzgl03dAWszyRlvHxqJH1 bSfoBnz2g9XjGN62L8f4szQSGSoTGDSjbFDgRxBdt2vXshXuFRMFPNAebbQqpsBQn7EUNaKp O/RDmVwuBNueWsg4g1lDtegi3Ojx65BunfSSt7i0Fd5hkgsThaK5N52tmgH6UP9/Mv+1Pnmt 9QHvCaNTfaCe/9uMPfCMF57+5Hbhn6BxTpppZ9KpAiaTgEhFQuhuotY6olYjK2M/KejS3YJj on2t6lAxy5N3SGvC6typ7j6k95wxdH4SKfvYcejpRuadNExbHrUzmxz0hPA/+4TUHIDBvG66 /O58CCEM7dliqEwFzoGSvaMbSdIVlJrG/MYkto/PW5EF9vvpXK5qQgSJ1UBI4XLdDFKVeAYp wPOkJr1i/0H9+KEol6jd0/zpuY1e8CdAigNzdwtAXkIH02xeYwARAQABtCJKYW4gUmVpc3Rl ciA8amFuLnJlaXN0ZXJAdW5pbWkuaXQ+iQI4BBMBAgAiBQJZ5htzAhsDBgsJCAcDAgYVCAIJ CgsEFgIDAQIeAQIXgAAKCRDVrGeeElO0nulqD/9crPESFDZcsc3kmKkUKtvGJa8bDxYjHjLm tW5SxuapcqI+WiKXh81ixx4iw9kyqBUw6SMY70t8WCGetIUS1z2nLZyvXI3YbmW6Ew/y5e5k eQZ00nOzel2e0i3Er03rDhhxyCHpgc9HeDcWqDkC9o1iDHStFoJuRltnikubfv1EKZBMJZ39 MRGTjKUo07xGnaQSOECOMWGuus+wl6v7IlXXZZHaKnyqkA1yNhFP4hYN7wspn8wsQ3De3ZEU Pgmkgl0wiuMlalWYpnYvWXpcicCsZy1BH5vGUtDu0sS8CbLKs7Jis8rBQKs7GtJBuWhUUMFq T4b9jtf02W4Mfpj3AZNZqVbBdvi7lW4j9P0AJO/WbDszaIFFt0f/7NBnE0KL8Ls44wOluOKd MbxCS7MRfzFZhwOubBlqDvbUg8utavWmOoaSiqWqox8OE81zFqa+pJovG+xZdcL7R0uSmVk2 viRBIjp8VNpcdVJ/DtCRnx9QzpfH/gtGcm4sSjNV6L5/DNClw/Ima6GvtND8+VPKJBTMesK4 vrb0Ee6AZkceg4UeoICEgRXyZGqFU3/HK7IsThxDne9cPefM66GlB053EBWF8crjZHJJ/iZq bpqXYaB51ApUuVMAi8pK/AJxucZidSKIy9wOJJVDIvo9TSvm9JMFpMVWaqqg+aWKpcmhbfsj lrkCDQRZ5htzARAAoWi3RqglLjQXy/YLvN8PgCL6A/KYYKZqy+vZaQlNDQZjX4cq4aTEyBSl 2v5jBPoT88zO+7Z6JONNDg0g9A3SWk0FLQ4+0D0pLtuTaAtHDVwIsNI2+adyMQOzAIu56Kj8 S+PQxyWxV0WRzfolBh7ij66/FMlK427bGsJ+e4rKIW4TACvdU1abSl+1+/QRVECCq1gCFZPR AGF2AZfaTKMf441CP2AqbeV/MICSF0y45g0zq3kFcJaMExwUwKil0U9VEuaoBkbMDtYewYLl M9iv9rxax33iKkGJIdWqGxtXaRyLPdQOGk5a5hhe3yJS6GU0x+Hp2aTQZyz8OWFJxEbpOzyl tP+7F06hB357RJn52SbT7DAoNUkzy3dp48pwZlLikg+jAJVapB2roOIKcYhsQW81HDTx5UBo YGwRMziulqWVRp4tg99S8AkiUhAjQXg4vKOK9xMoi/tCyXtPvVy7ph+qRknSRSlkYZhKBxtc LHAEPx6g2dbaz8xCj1LkexILnEdk/NQo+4AcHakEBjptgdep0l7xDFtc7MQs/brtIZ+pyWL3 00WliNqtsr075ByR0C3kqgTCM9sp+CqA+HRq2Q9dnaAXoAoPDLYok/TbyAHOHCngCqlQc2lZ emjj78kyjO2h0lujH6/bc/hHW+9BolQ5IRyhSFBuWgGNzFii92cAEQEAAYkCHwQYAQIACQUC WeYbcwIbDAAKCRDVrGeeElO0npAdD/9HFkTB9Bxq3qldfv8lOv3Adr0bSfo2u39DIpA0J9xh j+u/hC6ul/w14SSmmpcjcQP67Rz1m+/RKoWnph0nlulbKgM2Dak7sKIMumPwS6gBAPaJ5BCO rknzsICTTtPTKlrD9jWu6XoBHRQ8+V3i08YvkvQ+DFT9NjCg9zyELPe8ufdh3nFKbwP7/u4v g1xMFqLvfVeg1dszKMxO/QT4y3LKILQ7aN8Bru5bmnaz0JW/Bka0CTz7cQLJNDAKcW2QK5cS g0R8817YJjKl714lfcGXSMKX3LWgJXBfi8YVi+TvO7/xMIEeFb3c7DIF72DgH1QzCpEh0nCD obKAwEEuGKaxHVNmqqwApPA6h6FlkN3y9OCVRvc4nuLAmN03KmmwbSBR4vEfJXyIblfUaez6 DAwUtorxuRZYfuTckKdNh5uO0BxHVTJX/JD326nJJ2DFpm8Ce4uqfk5dPTHDzS8HAnGiZKUT JnMvVjiSA1JEBO+DvWW/OTgj+BjyTD/B+Z/QrFv1kZLWZnd8bQWC9gKnDh2rhqiGbUQgPMuU RPDkjlmAiYBS/nJQKKUcNs3XZFRkPxced2+L+r1jS1Qw1pah1itit3n9HzpxGVdOgO1IkeBl SqMekUsKoH8tcSzSCwRPCoga8qKC1IjeLa2lM2Mvha64ilgln0BmHtPh58MuhFNjKg==
Hello list,

we are using cat-test.eduroam.org to test a new certificate issued by
DigiCert and TERENA. We plan to deploy the new certificate soon as the
existing cert on cat.eduroam.org for our university is expiring.

The deployment via cat-test of the certificate on iOS fails as the
profile is "unverified". Profile details show two signing certificates,
one valid by TERENA, and another by GEANT which is *expired*.

See attached pics.

We extracted certificates from the .mobileconfig file and verified that
the certificate chain is correct.

$ openssl verify -verbose -CAfile RootCAFile -untrusted
IntermediateCAFile CertificateFile
$ CertificateFile: OK

We can't find any reference to the GEANT signature on the certificate
chain.
Looks like the .mobileconfig generator on cat-test works correctly.
Somehow seems that iOS picks up the GEANT signing certificate which is
expired, and ignores the TERENA signing certificate.

We tried turning it off and on again(R), to no avail :-)

Do you have any idea why is this happening?

Thank you for your attention,

Jan and Claudio
--
Jan Reister - CWNA
tel +39 02 50315307
Servizio Wireless - Ufficio Architettura di Rete - Settore Reti
Direzione ICT
Università degli Studi di Milano

Attachment: profile1.jpg
Description: JPEG image

Attachment: profile2.jpg
Description: JPEG image


Archive powered by MHonArc 2.6.19.

Top of Page