Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] Correct method for certificate rollover in CAT?

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] Correct method for certificate rollover in CAT?


Chronological Thread 
  • From: Louis Twomey <louis.twomey AT heanet.ie>
  • To: Guy Halse <guy AT tenet.ac.za>
  • Cc: "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>, Paul Dekkers <paul.dekkers AT surf.nl>
  • Subject: Re: [[cat-users]] Correct method for certificate rollover in CAT?
  • Date: Fri, 15 Oct 2021 16:34:10 +0000
  • Accept-language: en-IE, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=heanet.ie; dmarc=pass action=none header.from=heanet.ie; dkim=pass header.d=heanet.ie; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=BFhaLWEwZRW7snanxkux3/Edys0dXgwtqCD1Ou7ReYQ=; b=Z3bPbUhk3gXamxky+RntCTuSkDS5t1DHTCd61RM15o/x4d4nEPoriyBZUYdWZtteXnQ8KR5mUjm6Y3FUl+wCp9ncCw564wD7Sjo9FyDgVVra4XmXOTxOXG8HVNffcHOco/i7Uj7EJIxFUnRFSXpMKdKlnTCD7qpqP5lyOxR0zPKqrW7uX+UD7q1kpXSG0x2J1iKxbdYtYKHQsDhzB2RlFjc05AbEWlcsCq94gukeTbrab2j3UftI1KTem8JIbQ/lvCdiI/E2IyorVwd1NzSZ+opl7qazl9RJcNGaWC9/LFgxnkX9XWtutn+vdz2oyRcZ35JGIEgKtPyy0hpPc7eu8A==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=md8T19Yhn1uCbtZy0YPe39kczIfQ3OcA0Ekmt9b7WSEkHne9hiKX+0Hj82v3X7Ul0StaNSMZV/VoWZrxycJ9clo+tbOXI3bMZkT0EF9rSdR78nooTFlEMKLWq0PybBebelEaODQar6QvUY1nFknqPzvdQxRC0ghbRxbigqS2VaX+K8yrF7uAcZB98CVz243am7aJVWCnKgwX791chZ2MNnxygQLHApb6fc3K/nh4hfw5GLfH8Ie0u0OUL2qbY928pIzJaKLEDOYhxZjRRhD4ufWyZPSet9C6krD0q9ZM6XfzBHw0oYxWTsm1sU/KKGSX4JFZ3axBSXioRItTrJtrOA==
  • Authentication-results: tenet.ac.za; dkim=none (message not signed) header.d=none;tenet.ac.za; dmarc=none action=none header.from=heanet.ie;

Hi Guy,
Apologies, my mail was far too simplistic, and therefore misleading/wrong.

As already mentioned by others, you can do creative things on the Radius
server to continue to authenticate Android < 7.1 users against the old
certificate, giving you the means of migrating those users over time rather
than cutting them all off immediately.

Regards,
Louis
-------
Louis Twomey
Technical Architect
PGP key: C77D9256
HEAnet CLG, Ireland’s National Education and Research Network
1st Floor, 5 George’s Dock, IFSC, Dublin D01 X8N7, Ireland
+353 (0)1 6609040 louis.twomey AT heanet.ie www.heanet.ie
Registered in Ireland, No. 275301. CRA No. 20036270







> On 15 Oct 2021, at 11:04, Louis Twomey <louis.twomey AT heanet.ie> wrote:
>
> Hi Guy,
> Android < 7.1 does not allow more than one CA to be installed with a
> profile, so with those devices you have no way to cleanly migrate and you
> basically cut them off when you switch to the new server cert.
>
> Regards,
> Louis
> -------
> Louis Twomey
> Technical Architect
> PGP key: C77D9256
> HEAnet CLG, Ireland’s National Education and Research Network
> 1st Floor, 5 George’s Dock, IFSC, Dublin D01 X8N7, Ireland
> +353 (0)1 6609040 louis.twomey AT heanet.ie www.heanet.ie
> Registered in Ireland, No. 275301. CRA No. 20036270
>
>
>
>
>
>
>
>> On 15 Oct 2021, at 10:55, Paul Dekkers <paul.dekkers AT surf.nl> wrote:
>>
>>
>> CAUTION[External]: This email originated from outside of the organisation.
>> Do not click on links or open the attachments unless you recognise the
>> sender and know the content is safe.
>>
>>
>> Hi,
>>
>> On 15/10/2021 10:40, Guy Halse wrote:
>>> Hi
>>>
>>> We have an IdP that wants to roll over the certification authority it
>>> uses and deploy on a new RADIUS instance. In this process, both the CA
>>> certificate and the CN used for validation will necessarily change.
>>>
>>> The CAT web application supports adding both multiple root certs and
>>> multiple subject CNs into a profile, which means it's possible to
>>> generate a profile that theoretically covers both the old and new
>>> infrastructure. This looks to be the way to mimise the end-user impact of
>>> rolling over, since users can be asked to re-install from CAT prior to
>>> the migration with the assurance then they'll work in both scenarios
>>> without interruption.
>>>
>>> However, I seem to remember there were platform-specific limitations on
>>> how that works in practice. The platforms they're most interested in are
>>> Windows 10, Android, and iPhone -- and for some reason I seem to remember
>>> this being broken on Android?
>> That is true for the old eduroam CAT App I believe, but geteduroam
>> supports multiple CAs just fine. So I can myself actually only speak for
>> geteduroam; but there I don't see this as an issue. (Also the Windows
>> geteduroam App installs multiple CAs, and I believe the CAT installer does
>> as well.)
>>
>> The proof of the pudding, ... ;-) if you have older devices that need the
>> old CAT app, that may be an issue.
>>
>>> Does it help to issue a cert with a SubjectAlternativeName matching the
>>> old CN used for validation? (I'm not sure that's actually possible in
>>> this case, but it was a thought I had.)
>> I don't think this is necessary per se, but it's better not to change it
>> too much, for some platforms will fall back to a "matching substring". But
>> that's also the more legacy Android types,
>>> Does anyone have experience with this sort of roll-over who can offer
>>> advice one what does and doesn't work? Or better yet, point me at
>>> documentation?
>> I do like Jan-Frederik comments/experiences too. The part I described is
>> only ... well, part of the story. The rest is getting people to migrate.
>> (Of course the tric with anonymous usernames may trigger the anonymous
>> username bugs; it may be safer if you prefix with anon also, so anon2021
>> may be better, I forgot the entire logic that worked or didn't work.)
>>
>> Regards,
>> Paul
>>
>>
>>>
>>>
>> To unsubscribe, send this message:
>> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
>> Or use the following link:
>> https://lists.geant.org/sympa/sigrequest/cat-users
>




Archive powered by MHonArc 2.6.19.

Top of Page