cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Tony Skalski <ajs AT stolaf.edu>
- To: Paul Dekkers <paul.dekkers AT surf.nl>
- Cc: Guy Halse <guy AT tenet.ac.za>, "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
- Subject: Re: [[cat-users]] Correct method for certificate rollover in CAT?
- Date: Fri, 15 Oct 2021 10:02:56 -0500
Hi,
On 15/10/2021 10:40, Guy Halse wrote:
Hi
We have an IdP that wants to roll over the certification authority it uses and deploy on a new RADIUS instance. In this process, both the CA certificate and the CN used for validation will necessarily change.
The CAT web application supports adding both multiple root certs and multiple subject CNs into a profile, which means it's possible to generate a profile that theoretically covers both the old and new infrastructure. This looks to be the way to mimise the end-user impact of rolling over, since users can be asked to re-install from CAT prior to the migration with the assurance then they'll work in both scenarios without interruption.
However, I seem to remember there were platform-specific limitations on how that works in practice. The platforms they're most interested in are Windows 10, Android, and iPhone -- and for some reason I seem to remember this being broken on Android?
That is true for the old eduroam CAT App I believe, but geteduroam supports multiple CAs just fine. So I can myself actually only speak for geteduroam; but there I don't see this as an issue. (Also the Windows geteduroam App installs multiple CAs, and I believe the CAT installer does as well.)
The proof of the pudding, ... ;-) if you have older devices that need the old CAT app, that may be an issue.
Does it help to issue a cert with a SubjectAlternativeName matching the old CN used for validation? (I'm not sure that's actually possible in this case, but it was a thought I had.)I don't think this is necessary per se, but it's better not to change it too much, for some platforms will fall back to a "matching substring". But that's also the more legacy Android types,
Does anyone have experience with this sort of roll-over who can offer advice one what does and doesn't work? Or better yet, point me at documentation?
I do like Jan-Frederik comments/experiences too. The part I described is only ... well, part of the story. The rest is getting people to migrate. (Of course the tric with anonymous usernames may trigger the anonymous username bugs; it may be safer if you prefix with anon also, so anon2021 may be better, I forgot the entire logic that worked or didn't work.)
Regards,
Paul
To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users
- [[cat-users]] Correct method for certificate rollover in CAT?, Guy Halse, 10/15/2021
- Re: [[cat-users]] Correct method for certificate rollover in CAT?, Jan-Frederik Rieckers, 10/15/2021
- Re: [[cat-users]] Correct method for certificate rollover in CAT?, Paul Dekkers, 10/15/2021
- Re: [[cat-users]] Correct method for certificate rollover in CAT?, Louis Twomey, 10/15/2021
- Re: [[cat-users]] Correct method for certificate rollover in CAT?, Louis Twomey, 10/15/2021
- Re: [[cat-users]] Correct method for certificate rollover in CAT?, Tony Skalski, 10/15/2021
- Re: [[cat-users]] Correct method for certificate rollover in CAT?, Martin Pauly, 10/16/2021
- Re: [[cat-users]] Correct method for certificate rollover in CAT?, Louis Twomey, 10/15/2021
Archive powered by MHonArc 2.6.19.