cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] Cat-signer-ams.eduroam.org certificat expirering on May 30 2025

From: Martin Pauly <pauly AT hrz.uni-marburg.de>
To: cat-users AT lists.geant.org
Subject: Re: [[cat-users]] Cat-signer-ams.eduroam.org certificat expirering on May 30 2025
Date: Fri, 23 May 2025 09:43:02 +0200

Hi,

Am 22.05.25 um 23:31 schrieb Tomasz Wolniewicz (via cat-users Mailing List):

I think I would like to get more information about this difference between
Windows 11 and Windows 10. If you change the certificates in the CAT profiles
and the user run the new installers then the installer will remove the old
profile and install the new one pointing to the new root certificate. I
cannot imagine how Windows 11 can differ from Windows 10 here.

My observation from Nov 2023 may be a little off-topic, but I am sure the
code for cert handling
differs between Windows 10 and 11. Back then, our up-to-then cert distributor
DFN closed down
there CA (*pity*) which had been a Sub-CA of the T-TeleSec CA. To keep 50k+
devices happy,
we became customers of T-TeleSec ourselves and obtained a new cert signed by
the the same CA
directly without hassle. Only difference: We dared to include more than one
SAN in this new cert.
When we started using it, _most_ clients including Win11 did check for the
root CA and
server name configured by CAT, disregard correctly that the intermediate
chain parts
had changed and simply went on connecting.
Not quite so for Windows 10. The students' clients running Win10 did not
accept
the new cert. It turned out the Windows 10 supplicant would only take in the
first of the SANs presented by the RADIUS server.
The workaround was to change their CAT profile to check for the first one of
the SAN
configured in the cert, although that one had been intended for staff users.
After that worked, I haven't touched the issue any more.

But I would assume it's time to tell users to drop their Windows 10 during
the summer anyway.
Except for some LTSC or ESU users, it will be over by October. It will be
tough thing
to really block users with outdated clients at the start of winter term, so
my idea
is to start telling them now (and invest as little as possible in a dying OS).

Cheers, Martin

--
Dr. Martin Pauly Phone: +49-6421-28-23527
HRZ Univ. Marburg Fax: +49-6421-28-26994
Hans-Meerwein-Str. E-Mail: pauly AT HRZ.Uni-Marburg.DE
D-35032 Marburg

Attachment: smime.p7s
Description: Kryptografische S/MIME-Signatur

[[cat-users]] Cat-signer-ams.eduroam.org certificat expirering on May 30 2025, Herivault, Jacques, 05/19/2025
- Re: [[cat-users]] Cat-signer-ams.eduroam.org certificat expirering on May 30 2025, Tomasz Wolniewicz, 05/21/2025
  - Re: [[cat-users]] Cat-signer-ams.eduroam.org certificat expirering on May 30 2025, ALBRIZIO DANIELE, 05/22/2025
    - Re: [[cat-users]] Cat-signer-ams.eduroam.org certificat expirering on May 30 2025, Stefan Paetow, 05/22/2025
      - Re: [[cat-users]] Cat-signer-ams.eduroam.org certificat expirering on May 30 2025, Tomasz Wolniewicz, 05/22/2025
        
        Re: [[cat-users]] Cat-signer-ams.eduroam.org certificat expirering on May 30 2025, Herivault, Jacques, 05/22/2025
        
        Re: [[cat-users]] Cat-signer-ams.eduroam.org certificat expirering on May 30 2025, Tomasz Wolniewicz, 05/22/2025
        
        Re: [[cat-users]] Cat-signer-ams.eduroam.org certificat expirering on May 30 2025, Herivault, Jacques, 05/22/2025
        Re: [[cat-users]] Cat-signer-ams.eduroam.org certificat expirering on May 30 2025, Tomasz Wolniewicz, 05/23/2025
        
        Re: [[cat-users]] Cat-signer-ams.eduroam.org certificat expirering on May 30 2025, Martin Pauly, 05/23/2025
    - Re: [[cat-users]] Cat-signer-ams.eduroam.org certificat expirering on May 30 2025, Tomasz Wolniewicz, 05/22/2025