Skip to Content.
Sympa Menu

geteduroam - Configuring with multiple root CAs (for CA rollover)

Subject: An open discussion list for topics related to the geteduroam service

List archive

Configuring with multiple root CAs (for CA rollover)


Chronological Thread 
  • From: James Potter <Jim.Potter AT jisc.ac.uk>
  • To: "geteduroam AT lists.geant.org" <geteduroam AT lists.geant.org>
  • Subject: Configuring with multiple root CAs (for CA rollover)
  • Date: Thu, 31 Aug 2023 08:34:33 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jisc.ac.uk; dmarc=pass action=none header.from=jisc.ac.uk; dkim=pass header.d=jisc.ac.uk; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=wa7wHAwvhMBwc01Wtn1ea8NpiWkxrb0hgmE5F/KJNCM=; b=dREG1t/zwTMA3u8DHsHnpuiK27ctPZcLlkGhvxOIfI6izXedA9Va/JVQajb+00Oyfa8lPwtauMEm71I+J4XE6v0Xzb+r1azFT/VWbZrY3EON7jG9J6P3afSU6eqfBUfyKVvNytlXt1UHa7zyb0S7VQYZW+8PRCXat/VQxR1j2u5jtH7Y0yIDrSTKUlndDf0dMtWqaX6+KB31jyK8PDsHupLJu7GWA5g/ehWnjtNkyfiOziyM9sInhLWlxk4KxlOs6dadjiDCfNKbCO7B60hYJ4BtLvvuDVdxb2c7xIZELuy9PHEicgMid0hSN91qALFlerb+CjcMHOIsZXWmjqSTCA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JBJfqmarm3v1JDKmL/2gvLbQu0W7xGdiu/R4Vcj6tS3CeLBBwJAjy318CX75Ran3Z21OhfyWADF9+V2i01u+Rpc7l2XSPKc09eO3IXWYkOwAHVx/GjOyouxyOK5G9KPSvWMzljajcH9Xjs7MHIejvZNa+DFlOt3wvrME+NyVdWCWaMs8xZWtJ4bWxXisQm2E5ZnIi6s5QsuyOpAb/uNDHRgFzQYETD4iq5aOBJhJito3wj5vvf+JbWIeKqlaURa31Ad5L5fmuCiVga3i8aPUMUX3zDEtIFJorfQ8aC47yMFU5/ARUrldY2d4jFe55ycTHvvSYI0aYgU8/GZn3YGYvA==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=jisc.ac.uk;

Hi all,

 

I’m looking to push out an eduroam profile that contains 2 root CAs. The current CA expires soon, I’d like as many users’ devices as possible to have a new CA in place so when we switch to a server cert (issued by the new CA) this change has as little user impact as possible.

 

The issue I’m having is that deployment of the new profile appears erratic. For various Android versions, we see either one or 2 CAs being added (in the case of only 1 cert, I think only the newer one is deployed). I’ve not got a definitive list of Android versions that work/don’t work.

 

Is deployment of multiple CAs meant to work? Has anyone else done this?

 

(Profile in question to test is University of Cumbria – staff/student profile has just the old CA; TESTING DO NOT USE has the new CA too)

 

Any help would be great,

 

Thanks,

 

Jim

Jisc




Archive powered by MHonArc 2.6.24.

Top of Page