Skip to Content.

geteduroam - RE: Configuring with multiple root CAs (for CA rollover)

Subject: An open discussion list for topics related to the geteduroam service

List archive

RE: Configuring with multiple root CAs (for CA rollover)

Chronological Thread 
  • From: James Potter <Jim.Potter AT>
  • To: Per Mejdal Rasmussen <pmr AT>, "geteduroam AT" <geteduroam AT>
  • Subject: RE: Configuring with multiple root CAs (for CA rollover)
  • Date: Mon, 11 Sep 2023 07:48:45 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; 1; spf=pass; dmarc=pass action=none; dkim=pass; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=dItOyf0cc+CCoWn9Zyu2c/mIjnj5QjeViLjkdX1IbRI=; b=mN0dDBylCqpbCoBSXz2LGnj0rn8+4z/yEkgcB7T1e49dt6kij120+vMFsHVuPvoNFfuzUjVn/V5842+N7+PE+foxIg9Z/yumPyU+lEc1KL9wvim+WxSTLHkt8djBG+R1f2N6eh2l24rvqWBEkHCDsNanNrsbKxvDsqjDA3RlBLpGPqZYAd+2cGHhZ7PEm0uaLEPnUMrIyHotiuYGcGeOza36t4Y/bFKXRTm18bSJICkwcZXw7xHWG/f6btql4Ghm1YKIcv14k7HZzU0ucm+s9PDmlfYxvxIC1AENfJW3WKF943cRMY5wtMmX9sy14Hs8BbkdhyTjo619mIC5XOs21A==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901;; cv=none; b=Pf9v1lf1LyjyknH5tutOkmr86Hd2tuCyTmQ8em9djtT3qJv0lAse9XKf7x7vZT4xzE58EYVt8L+1QQZ3rftbomIwiYadY1msoVKvb4si1JshCcvCyVXYTr2vAoc5J4eacWAslP3f8ct+R2Lar6FdB4mLyeCetdQ4h0GB0oabIDuoCwzBD4lhA7Sw5ZbXdQYJQASpR2lvf2d9jf8Peqg6KIuU5HiDkf4/S3wyGysdPMU67TJgziJHdcX1rORAFrM4H0xkZoxE8ccoXY37InHJzdjuTpVD/lMjLh0qiiIcG2VExYFAy/OM8aj3f65c8orsH2wIDtwZ0KGScwBPvhn3rQ==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none;

Hi Per,


Thanks for this, I’ve tried your suggestion (having some issues, I’ll get there presently) – its good to know that someone else has it working though.


Jim Potter



From: geteduroam-request AT <geteduroam-request AT> On Behalf Of Per Mejdal Rasmussen
Sent: Thursday, August 31, 2023 12:32 PM
To: geteduroam AT
Subject: Re: Configuring with multiple root CAs (for CA rollover)



Last year we (Aalborg University) replaced our CA, because it was singed with SHA1.


This was the procedure:

  1. Generate new CA
  2. Sign old CA with new CA as an intermediate CA.
  3. Configure radius server to include old CA as an an intermediate CA.
  4. Start using new CA on clients.


This procedure did not break any old clients, and did not require clients to support 2 CAs.



On 2023-08-31 10:34, James Potter wrote:

Hi all,


I’m looking to push out an eduroam profile that contains 2 root CAs. The current CA expires soon, I’d like as many users’ devices as possible to have a new CA in place so when we switch to a server cert (issued by the new CA) this change has as little user impact as possible.


The issue I’m having is that deployment of the new profile appears erratic. For various Android versions, we see either one or 2 CAs being added (in the case of only 1 cert, I think only the newer one is deployed). I’ve not got a definitive list of Android versions that work/don’t work.


Is deployment of multiple CAs meant to work? Has anyone else done this?


(Profile in question to test is University of Cumbria – staff/student profile has just the old CA; TESTING DO NOT USE has the new CA too)


Any help would be great,







Per Mejdal Rasmussen
Senior Network administrator
Aalborg University, FRB1 B.1.87
Mobile:  +45 2990 9887
Support: +45 9940 2020

  • RE: Configuring with multiple root CAs (for CA rollover), James Potter, 09/11/2023

Archive powered by MHonArc 2.6.24.

Top of Page