cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
Re: [[cat-users]] Renewing FreeRADIUS server certs with the same key as prior cert
Chronological Thread
- From: Martin Stanislav <ms AT uakom.sk>
- To: Florian Lengyel <Florian.Lengyel AT cuny.edu>
- Cc: "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>, Jonathan Frost <Jonathan.Frost AT cuny.edu>, Anna Wong <Anna.Wong AT cuny.edu>, Mark Manis <Mark.Manis AT cuny.edu>, Arthur Ecock <Arty.Ecock AT cuny.edu>, Agustin Ferrer <Agustin.Ferrer AT cuny.edu>
- Subject: Re: [[cat-users]] Renewing FreeRADIUS server certs with the same key as prior cert
- Date: Mon, 18 Sep 2023 20:59:54 +0200
Hi Florian,
I suppose you are about to renew an EAP server certificate that is deployed
on CUNY RADIUS servers. In fact, it doesn't matter whether you keep
the old key pair or you decide to create a new key pair (wrt trust).
eduroam config profile published for CUNY on the eduroam CAT portal
will work as long as the chain of trust this profile contains covers
EAP server certificate deployed on CUNY RADIUS servers.
The same applies for the expected server name (as present in
the profile vs in a deployed X.509 certificate).
Also the clients (802.1X supplicants) have to be provisioned in accord
with the concerned CUNY profile published on eduroam CAT portal,
e.g. geteduroam will use published profile to provision a client device.
There is more info wrt EAP server certificate on the GÉANT wiki [1].
Kind regards,
Martin
[1]
https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+considerations
On Mon, Sep 18, 2023 at 06:00:44PM +0000, Florian Lengyel wrote:
>
> Hi,
>
> I am renewing the server certificate of my FreeRADIUS cluster for eduroam.
> The server key is remaining the same.
> Is it true that users typically should not need to reconfigure their
> devices?.
> My understanding is that the existing settings should continue to work after
> the server cert is renewed as the server key is the critical component for
> the client-trust relationship.
>
> Florian
>
> [cid:image002.png AT 01D9EA36.58499090]
> Florian Lengyel, PhD
> Identity and Access Management
> CUNY CIS 395 Hudson Street, New York, NY 10014
> Voicemail: (646) 664-2370 Cell: (917) 621-7845
> Email: florian.lengyel AT cuny.edu
>
> To unsubscribe, send this message:
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link:
> https://lists.geant.org/sympa/sigrequest/cat-users
- [[cat-users]] Renewing FreeRADIUS server certs with the same key as prior cert, Florian Lengyel, 09/18/2023
- Re: [[cat-users]] Renewing FreeRADIUS server certs with the same key as prior cert, Martin Stanislav, 09/18/2023
Archive powered by MHonArc 2.6.24.