Skip to Content.

cat-users - Re: [[cat-users]] Commercial certs expiration

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive


Re: [[cat-users]] Commercial certs expiration


Chronological Thread 
    < Chronological >      < Thread >
  • From: Tomasz Wolniewicz <twoln AT umk.pl>
  • To: cat-users AT lists.geant.org
  • Subject: Re: [[cat-users]] Commercial certs expiration
  • Date: Tue, 3 Mar 2020 15:45:08 +0100

CAT does two things: it installs the certificates you have posted to CAT (if required, on Windows it will not install certificates that are already in the store) and it sets the trusted root CA to point to yours. Therefore all that matters is that the supplicant on user's device is able to verify the received server certificate against the trusted root.

If you make sure that your RADIUS server always sends the server cert and the intermediate cert than in principle you do not need to push the intermediate to CAT. I said "in principle" since I believe that there is a fault OS that might complain.

If the intermediate gets changed then you just need to add this to your RADIUS server and all should work just fine, as the validation of your server cert against the root should work. Hopefully by 2024 there will be no faulty OSes out there any more.

Yours

Tomasz



W dniu 03.03.2020 o 15:22, Ricardo Stella pisze:

Quick question here.

Although we understand the preferred method is to use a private CA to issue the certificate, we are looking at this time to implement Eduroam with a commercial cert (InCommon).

In the tool, my understanding is that I will install both the USERTrust Root (new one expiring in 2038), and the intermediate InCommon which expires in 2024. I can then renew my radius one every year, without problems. 

Until 2024, correct? At that time, I would have to create and distribute a new version of the tool to users so they get the new intermediate cert. I don't think I can simply install the root only right?

Just presenting the pros/cons up the line regarding using a private CA vs a commercial cert

Thanks in advance - Ricardo.

--
°(((=((===°°°(((================================================
To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users 
-- 
Tomasz Wolniewicz    
          twoln AT umk.pl        http://www.home.umk.pl/~twoln

Uniwersyteckie Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750                            tel kom.: +48-693-032-576

Attachment: smime.p7s
Description: Kryptograficzna sygnatura S/MIME


Archive powered by MHonArc 2.6.19.

Top of Page