Skip to Content.
Sympa Menu

cat-users - [[cat-users]] Correct method for certificate rollover in CAT?

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

[[cat-users]] Correct method for certificate rollover in CAT?


Chronological Thread 
  • From: Guy Halse <guy AT tenet.ac.za>
  • To: "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
  • Subject: [[cat-users]] Correct method for certificate rollover in CAT?
  • Date: Fri, 15 Oct 2021 10:40:13 +0200
  • Organization: Tertiary Education & Research Network of South Africa NPC

Hi

We have an IdP that wants to roll over the certification authority it uses and deploy on a new RADIUS instance. In this process, both the CA certificate and the CN used for validation will necessarily change.

The CAT web application supports adding both multiple root certs and multiple subject CNs into a profile, which means it's possible to generate a profile that theoretically covers both the old and new infrastructure. This looks to be the way to mimise the end-user impact of rolling over, since users can be asked to re-install from CAT prior to the migration with the assurance then they'll work in both scenarios without interruption.

However, I seem to remember there were platform-specific limitations on how that works in practice. The platforms they're most interested in are Windows 10, Android, and iPhone -- and for some reason I seem to remember this being broken on Android?

Does it help to issue a cert with a SubjectAlternativeName matching the old CN used for validation? (I'm not sure that's actually possible in this case, but it was a thought I had.)

Does anyone have experience with this sort of roll-over who can offer advice one what does and doesn't work? Or better yet, point me at documentation?

Regards,

- Guy
--
Guy Halse
Executive Officer: Trust & Identity Tertiary Education & Research Network of South Africa NPC Fault Reporting: +27(21)763-7147 or support AT tenet.ac.za
Office: +27(21)763-7102
http://www.tenet.ac.za/contact
https://orcid.org/0000-0002-9388-8592

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature




Archive powered by MHonArc 2.6.19.

Top of Page