The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Guy Halse <guy AT tenet.ac.za>]

    Hi
    
    We have an IdP that wants to roll over the certification authority
    it uses and deploy on a new RADIUS instance. In this process, both
    the CA certificate and the CN used for validation will necessarily
    change.
    
    The CAT web application supports adding both multiple root certs and
    multiple subject CNs into a profile, which means it's possible to
    generate a profile that theoretically covers both the old and new
    infrastructure. This looks to be the way to mimise the end-user
    impact of rolling over, since users can be asked to re-install from
    CAT prior to the migration with the assurance then they'll work in
    both scenarios without interruption.
    
    However, I seem to remember there were platform-specific limitations
    on how that works in practice. The platforms they're most interested
    in are Windows 10, Android, and iPhone -- and for some reason I seem
    to remember this being broken on Android?
    
    Does it help to issue a cert with a SubjectAlternativeName matching
    the old CN used for validation? (I'm not sure that's actually
    possible in this case, but it was a thought I had.)
    
    Does anyone have experience with this sort of roll-over who can
    offer advice one what does and doesn't work? Or better yet, point me
    at documentation?
    
    Regards,
    
    - Guy

--
Guy Halse
Executive Officer: Trust & Identity Tertiary Education & Research Network of South Africa NPC Fault Reporting: +27(21)763-7147 or support AT tenet.ac.za
Office: +27(21)763-7102
http://www.tenet.ac.za/contact
https://orcid.org/0000-0002-9388-8592

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature