Skip to Content.

geteduroam - Re: Configuring with multiple root CAs (for CA rollover)

Subject: An open discussion list for topics related to the geteduroam service

List archive


Re: Configuring with multiple root CAs (for CA rollover)


Chronological Thread 
    < Chronological >      < Thread >
  • From: Per Mejdal Rasmussen <pmr AT its.aau.dk>
  • To: <geteduroam AT lists.geant.org>
  • Subject: Re: Configuring with multiple root CAs (for CA rollover)
  • Date: Thu, 31 Aug 2023 13:32:16 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 130.225.198.192) smtp.rcpttodomain=lists.geant.org smtp.mailfrom=its.aau.dk; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=its.aau.dk; dkim=none (message not signed); arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=p50jF1PbiXEl2tQdCPI4nOqBw1RAwfe/TxiMmVZ1Geo=; b=gDRLdTaUZp3dadn5oV0tVcB01uweMAGJxy8GWTlGYP7UC9n2A6dtx/e6HQZqBMN5aPLVtJjfHvarEp2E38vI0tGSnj2NcUOxyFVGhx3ChMxI3Jkk/3uN3VFPwdRnRd5f3XpEaZUjvz+OWyS3xgecIxMk89k0PBEfEHyqqBrsOZ3UTQUM308nuoLPxBQEh1uYWazNmsLKtb3v+0W2s1O2iobtuj2XB23t83CXWEl91jTOTMRMHWzz4nFmYabUxc/VE4gIaCAZYz5eydFa6si83bQQMCI2m6ZBhAYjVCyD3hyolM4bEB2GdmZqMFQscM0fUF/ClFRGF4ge29s68Odlgw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HEmR4+VoHqhuZec0bjvRK8KtRQ11+rPbPz3KMou6lV66pqNv6J+FRtB9+EjfxKh+mlewvXk8b1YwhNaC7BvqcA9UrlieDOitavdToKu/bKVlQ5pUtBedjmrUNKoPRISeLP+UBk8dw1ZNvTed9Tcd1/oj4BtgSXRXIscETEuGLqL3GDp4vQE8jrb8HngfLvJHbf1gl3Nmv4V4L9f4eX5z7rLL5xV1cfFf+YGubz9zEiHEaCEIBFg2OJ8V9FN7RxHiHTvihKLSaRTMYJylqX0vHZZLSVCtjm4IaItWauM5Cu1RB0SNZrH6F7l0/5a6WlSWjK12M8Y9fCNlpPmJARa/7Q==
  • Organization: Aalborg University

Last year we (Aalborg University) replaced our CA, because it was singed with SHA1.

This was the procedure:
  1. Generate new CA
  2. Sign old CA with new CA as an intermediate CA.
  3. Configure radius server to include old CA as an an intermediate CA.
  4. Start using new CA on clients.

This procedure did not break any old clients, and did not require clients to support 2 CAs.


On 2023-08-31 10:34, James Potter wrote:

Hi all,

 

I’m looking to push out an eduroam profile that contains 2 root CAs. The current CA expires soon, I’d like as many users’ devices as possible to have a new CA in place so when we switch to a server cert (issued by the new CA) this change has as little user impact as possible.

 

The issue I’m having is that deployment of the new profile appears erratic. For various Android versions, we see either one or 2 CAs being added (in the case of only 1 cert, I think only the newer one is deployed). I’ve not got a definitive list of Android versions that work/don’t work.

 

Is deployment of multiple CAs meant to work? Has anyone else done this?

 

(Profile in question to test is University of Cumbria – staff/student profile has just the old CA; TESTING DO NOT USE has the new CA too)

 

Any help would be great,

 

Thanks,

 

Jim

Jisc


-- 
Per Mejdal Rasmussen
Senior Network administrator
Aalborg University, FRB1 B.1.87
Mobile:  +45 2990 9887
Support: +45 9940 2020

Archive powered by MHonArc 2.6.24.

Top of Page