The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hello,

as Paul has already answered extensively: our current advice regarding CAs, certificate properties, key lengths etc. is on this page:

https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+considerations

As Paul mentions the landscape of pros and cons is shifting as devices and their OSes change (I would say "evolve" but it isn't always a step in the right direction ;-) ) so some of the arguments in that page need to be re-weighted. Still, if you read all that to the end, then you can make an informed decision.

Personally, I think people often underestimate how hard it is properly run a private CA long-term and securely, so the final advice on the page "if you know what you are doing, then use a private CA" should more often lead to using a public CA than it actually does.

Greetings,

Stefan Winter

Am 14.10.21 um 18:06 schrieb Ricardo Stella:

These may be questions for the eduroam admin list but it does involve cat.

We initially configured eduroam with the same commercial cert used for http for radius (we use clearpass). It is only in a semi test mode - that is, it's there and works, but not publicized. Now that I know a little better (maybe ready to take eduroam 102), it would be best to use our own CA with a long expiration date so we won't have to push down a new cat tool in a year or two. Our CA I've set up 20 years ago and not in use any more has an expiration date of 2031 so may be an option - this was with openssl and a 2048 bit. But may create a brand new CA just in case. And this would be the cert pushed via cat.

Few questions now...

* How long should the radius cert be? I understand that renewing it won't affect cat since what matters is the root that signs it. But reading iOS does not trust certs longer than about 2 years, would this be the case? Should I plan on renewing the radius cert every year? Would it be an issue with the long term CA installed by cat?

* Are there any FAQs on verifying what extensions are needed/required?

* We have a 3 node clearpass implementation.  Should each radius cert be its own CN but add all 3 nodes to subject alt names?

I'll probably think of more questions once I hit send but for now..

Thanks in advance - Ricardo.

--

°(((=((===°°°(((================================================

      To unsubscribe,
        send this message:
        mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
        Or use the following link:
        https://lists.geant.org/sympa/sigrequest/cat-users

Attachment: OpenPGP_signature
Description: OpenPGP digital signature