The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Jan-Frederik Rieckers <rieckers AT dfn.de>]

Hey Guy,

in Germany we recently (Jul 2019) had the expiration of the Root CA for
our PKI.
There probably is no 'correct' method to do this, I'll just throw in my
experiences.

Different universities handled it differently, my former University
introduced an explicit outer username (eduroam@<REALM> in our case), and
with this outer username you got the new certificate.
This had the advantage that you can
1) identify the users who haven't reconfigured their devices yet
2) Route the users to the new RADIUS servers based on their outer username.

This also has the advantage, that users are directed to use the CAT
since the setup of an explicit outer identity is not trivial.
(You don't get the "I type in my credentials, ignore all warnings and it
just works")

A few months before the Root CA expired we also introduced a captive
portal that forced the users to click on a button every time they logged
in, with instructions on the page what they have to do to change to the
new configuration.

This setting worked pretty well for a University with >20k users.

Greetings
Janfred

On 15.10.21 10:40, Guy Halse wrote:
> Hi
> 
> We have an IdP that wants to roll over the certification authority it
> uses and deploy on a new RADIUS instance. In this process, both the CA
> certificate and the CN used for validation will necessarily change.
> 
> The CAT web application supports adding both multiple root certs and
> multiple subject CNs into a profile, which means it's possible to
> generate a profile that theoretically covers both the old and new
> infrastructure. This looks to be the way to mimise the end-user impact
> of rolling over, since users can be asked to re-install from CAT prior
> to the migration with the assurance then they'll work in both scenarios
> without interruption.
> 
> However, I seem to remember there were platform-specific limitations on
> how that works in practice. The platforms they're most interested in are
> Windows 10, Android, and iPhone -- and for some reason I seem to
> remember this being broken on Android?
> 
> Does it help to issue a cert with a SubjectAlternativeName matching the
> old CN used for validation? (I'm not sure that's actually possible in
> this case, but it was a thought I had.)
> 
> Does anyone have experience with this sort of roll-over who can offer
> advice one what does and doesn't work? Or better yet, point me at
> documentation?
> 
> Regards,
> 
> - Guy
> -- 
> https://www.tenet.ac.za/      Guy Halse
> Executive Officer: Trust & Identity
> 
> Tertiary Education & Research Network of South Africa NPC
> 
> Fault Reporting: +27(21)763-7147 <tel:+27(21)763-7147> or
> support AT tenet.ac.za <mailto:support AT tenet.ac.za>
> Office: +27(21)763-7102
> http://www.tenet.ac.za/contact
> https://orcid.org/0000-0002-9388-8592
> <https://orcid.org/0000-0002-9388-8592>
> 

-- 
E-Mail: rieckers AT dfn.de | Fon: +49 30884299-339 | Fax: +49 30884299-370
Pronomen: er/sein | Pronouns: he/him
__________________________________________________________________________________

DFN - Deutsches Forschungsnetz | German National Research and Education
Network
Verein zur Förderung eines Deutschen Forschungsnetzes e.V.
Alexanderplatz 1 | 10178 Berlin
www.dfn.de

Vorstand: Prof. Dr. Odej Kao (Vorsitzender) | Dr. Rainer Bockholt |
Christian Zens
Geschäftsführung: Dr. Christian Grimm | Jochem Pattloch
VR AG Charlottenburg 7729B | USt.-ID. DE 1366/23822

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature