cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
[[cat-users]] EAP: Issue with Windows clients and cross-signing certificates
- From: Patrice Peterson <address@concealed>
- To: address@concealed
- Subject: [[cat-users]] EAP: Issue with Windows clients and cross-signing certificates
- Date: Wed, 15 Oct 2025 12:07:29 +0200
Dear list,
I am an administrator with a DFN member university (and, by association, GÉANT). We take part in the Eduroam network. Yesterday we replaced our Sectigo RADIUS certificates with ones from Harica, and we encountered an issue where Windows 11 clients were unable to connect to the Eduroam network, due to the presence of a cross cert leading Windows down the wrong trust path.
For illustration, I have attached one of our Radius server cert chains that exhibit the issue ('radius3.xd.uni-halle.de.fullchain.pem') and the root cert which we are configuring as a trust anchor in the Eduroam CAT tool ('HARICA-TLS-Root-2021-ECC.pem').
The issue appears to be that Windows clients choose the wrong trust path: Because of the cross cert in the chain, Windows clients choose the longer path and end up at HARICA's 2015 root cert instead of the 2021 one which we have configured. On newer (Win11) systems, the 2015 root cert is not present anymore, resulting in a 'root certificate invalid' error. A newer Android client, using the same CAT profile, does not exhibit this problem and correctly chains to the 2021 root cert.
The Microsoft documentation mentions [1] that this is 'by design' and suggests removing the cross cert from the client as a workaround. This is not a workable suggestion in the context of our Eduroam configuration, so we have decided to remove the cross cert from the RADIUS server cert chain instead. With that, Windows clients appear to choose the (newer, shorter) path to the 2021 root certificate, and the issue goes away.
Aside from removing the cross cert from the server chain -- which our PKI admins hesitate to do --, is there something else we can do here?
Best regards,
Patrice Peterson
MLU
[1]: https://learn.microsoft.com/en-us/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/secured-website-certificate-validation-fails
Attachment:
radius3.xd.uni-halle.de.fullchain.pem
Description: application/x509-ca-cert
Attachment:
HARICA-TLS-Root-2021-ECC.pem
Description: application/x509-ca-cert
Attachment:
smime.p7s
Description: Kryptografische S/MIME-Signatur
-
[[cat-users]] EAP: Issue with Windows clients and cross-signing certificates,
Patrice Peterson, 10/15/2025
- <Possible follow-up(s)>
-
[[cat-users]] EAP: Issue with Windows clients and cross-signing certificates,
Patrice Peterson, 10/15/2025
-
Re: [[cat-users]] EAP: Issue with Windows clients and cross-signing certificates,
Stefan Paetow, 10/15/2025
-
Re: [[cat-users]] EAP: Issue with Windows clients and cross-signing certificates,
Patrice Peterson, 10/15/2025
-
Re: [[cat-users]] EAP: Issue with Windows clients and cross-signing certificates,
Lukas Wringer, 10/15/2025
- Re: [[cat-users]] EAP: Issue with Windows clients and cross-signing certificates, Stefan Paetow, 10/15/2025
-
Re: [[cat-users]] EAP: Issue with Windows clients and cross-signing certificates,
Lukas Wringer, 10/15/2025
-
Re: [[cat-users]] EAP: Issue with Windows clients and cross-signing certificates,
Patrice Peterson, 10/15/2025
- Re: [[cat-users]] EAP: Issue with Windows clients and cross-signing certificates, Paul Dekkers, 10/15/2025
-
Re: [[cat-users]] EAP: Issue with Windows clients and cross-signing certificates,
Stefan Paetow, 10/15/2025
Archive powered by MHonArc 2.6.24.