An open discussion list for topics related to the geteduroam service

[Stefan Paetow <Stefan.Paetow AT jisc.ac.uk>]

The entire chain is shipped with the EAP handshake (I know, not ideal), but 
the ultimate root *should* suffice.

I refer to this part in the IdP guide (verbatim): 

"For most EAP methods, the required EAP details are
The Certification Authority (CA) certificate(s) which signed your EAP server 
certificate
always include the root CA (root CAs are indicated with a blue circled "R" 
besides the certificate details after upload)
optionally include intermediate CAs (intermediate or server certificates are 
indicated with a blue circled ("I") besides the certficate after upload)
The name of your server as specified in the Common Name (CN) of your EAP 
server certificate"

I've done a check and yes, the CA root cert on the server and the CA root 
cert on CAT match (as per Martin), and openssl verifies the chain ok:

[support:~] openssl verify -CAfile bspa-root.crt -untrusted bspa-interm.crt 
bspa-srv.crt
bspa-srv.crt: OK

So no, it's not the chain, because actual authentications would have failed.

With Regards

Stefan Paetow
Federated Roaming Technical Specialist

t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: stefanp AT jabber.dev.ja.net
skype: stefan.paetow.janet


In line with government advice, at Jisc we’re now working from home and our 
offices are currently closed. Read our statement on coronavirus 
<https://www.jisc.ac.uk/about/corporate/coronavirus-statement>.

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by 
guarantee which is registered in England under Company No. 5747339, VAT No. 
GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, 
Bristol, BS2 0JA. T 0203 697 5800.
 

On 08/12/2020, 15:39, "geteduroam-request AT lists.geant.org on behalf of Paul 
Dekkers" <geteduroam-request AT lists.geant.org on behalf of 
geteduroam AT lists.geant.org> wrote:

    Hi,
    
    Ah, in that case it looks like the intermediate certificate is missing? 
This contains just the/a QuoVadis root.
    
    Thanks for checking on the profile, I didn’t get to that yet,
    
    (I doubt this profile works well in CAT?)
    
    Regards,
    Paul
    
    
    > On 8 Dec 2020, at 16:24, Martin Pauly <geteduroam AT lists.geant.org> 
wrote:
    > 
    > Am 08.12.20 um 16:07 schrieb Stefan Paetow (via geteduroam Mailing 
List):
    >> The profile is correct. They use a root certificate.
    > 
    > This one?
    > 
    > ...
    > 
    > -- 
    >  Dr. Martin Pauly     Phone:  +49-6421-28-23527
    >  HRZ Univ. Marburg    Fax:    +49-6421-28-26994
    >  Hans-Meerwein-Str.   E-Mail: pauly AT HRZ.Uni-Marburg.DE
    >  D-35032 Marburg
    >