Skip to Content.
Sympa Menu

geteduroam - RE: Configuring with multiple root CAs (for CA rollover)

Subject: An open discussion list for topics related to the geteduroam service

List archive

RE: Configuring with multiple root CAs (for CA rollover)


Chronological Thread 
    < Chronological >      < Thread >
  • From: James Potter <Jim.Potter AT jisc.ac.uk>
  • To: Per Mejdal Rasmussen <pmr AT its.aau.dk>, "geteduroam AT lists.geant.org" <geteduroam AT lists.geant.org>
  • Subject: RE: Configuring with multiple root CAs (for CA rollover)
  • Date: Mon, 11 Sep 2023 07:48:45 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jisc.ac.uk; dmarc=pass action=none header.from=jisc.ac.uk; dkim=pass header.d=jisc.ac.uk; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=dItOyf0cc+CCoWn9Zyu2c/mIjnj5QjeViLjkdX1IbRI=; b=mN0dDBylCqpbCoBSXz2LGnj0rn8+4z/yEkgcB7T1e49dt6kij120+vMFsHVuPvoNFfuzUjVn/V5842+N7+PE+foxIg9Z/yumPyU+lEc1KL9wvim+WxSTLHkt8djBG+R1f2N6eh2l24rvqWBEkHCDsNanNrsbKxvDsqjDA3RlBLpGPqZYAd+2cGHhZ7PEm0uaLEPnUMrIyHotiuYGcGeOza36t4Y/bFKXRTm18bSJICkwcZXw7xHWG/f6btql4Ghm1YKIcv14k7HZzU0ucm+s9PDmlfYxvxIC1AENfJW3WKF943cRMY5wtMmX9sy14Hs8BbkdhyTjo619mIC5XOs21A==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Pf9v1lf1LyjyknH5tutOkmr86Hd2tuCyTmQ8em9djtT3qJv0lAse9XKf7x7vZT4xzE58EYVt8L+1QQZ3rftbomIwiYadY1msoVKvb4si1JshCcvCyVXYTr2vAoc5J4eacWAslP3f8ct+R2Lar6FdB4mLyeCetdQ4h0GB0oabIDuoCwzBD4lhA7Sw5ZbXdQYJQASpR2lvf2d9jf8Peqg6KIuU5HiDkf4/S3wyGysdPMU67TJgziJHdcX1rORAFrM4H0xkZoxE8ccoXY37InHJzdjuTpVD/lMjLh0qiiIcG2VExYFAy/OM8aj3f65c8orsH2wIDtwZ0KGScwBPvhn3rQ==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=jisc.ac.uk;

Hi Per,

 

Thanks for this, I’ve tried your suggestion (having some issues, I’ll get there presently) – its good to know that someone else has it working though.

 

Jim Potter

Jisc

 

From: geteduroam-request AT lists.geant.org <geteduroam-request AT lists.geant.org> On Behalf Of Per Mejdal Rasmussen
Sent: Thursday, August 31, 2023 12:32 PM
To: geteduroam AT lists.geant.org
Subject: Re: Configuring with multiple root CAs (for CA rollover)

 

 

Last year we (Aalborg University) replaced our CA, because it was singed with SHA1.

 

This was the procedure:

  1. Generate new CA
  2. Sign old CA with new CA as an intermediate CA.
  3. Configure radius server to include old CA as an an intermediate CA.
  4. Start using new CA on clients.

 

This procedure did not break any old clients, and did not require clients to support 2 CAs.

 

 

On 2023-08-31 10:34, James Potter wrote:

Hi all,

 

I’m looking to push out an eduroam profile that contains 2 root CAs. The current CA expires soon, I’d like as many users’ devices as possible to have a new CA in place so when we switch to a server cert (issued by the new CA) this change has as little user impact as possible.

 

The issue I’m having is that deployment of the new profile appears erratic. For various Android versions, we see either one or 2 CAs being added (in the case of only 1 cert, I think only the newer one is deployed). I’ve not got a definitive list of Android versions that work/don’t work.

 

Is deployment of multiple CAs meant to work? Has anyone else done this?

 

(Profile in question to test is University of Cumbria – staff/student profile has just the old CA; TESTING DO NOT USE has the new CA too)

 

Any help would be great,

 

Thanks,

 

Jim

Jisc

 

-- 
Per Mejdal Rasmussen
Senior Network administrator
Aalborg University, FRB1 B.1.87
Mobile:  +45 2990 9887
Support: +45 9940 2020

  • RE: Configuring with multiple root CAs (for CA rollover), James Potter, 09/11/2023

Archive powered by MHonArc 2.6.24.

Top of Page