Bruce, We had this exact same issue! Instead of a default 1024bit certificate rooted in Equifax, we received a 2048bit certificate rooted in GeoTrust.
We explained that reconfiguring the tens of thousands of devices 'out there' is an impossibility at this time. Basically, this resulted in a lot of back and forth, but in the end, we leveraged the fact that Verisign had until December 31, 2010 to comply with new regulations that forced them to the 2048bit offering. Thus, we were able to obtain a renewal for our certificate that would last another 12 months. We are now migrating towards using Comodo through Incommon. But again, this is through a different root. Luckily, we are nearing a rollout of a new identity management solution along with a WLAN encryption upgrade; each requires reconfiguration on the user's part. We are leveraging these circumstances to roll out a configuration utility that will trust both Equifax as well as our new root. Many folks will say to just use a self-signed root, but for some entities, that is not an option since the network engineers may not dictate the security policies. :-/ Good luck! ========== Ryan Holland Network Engineer, Wireless Office of the Chief Information Officer The Ohio State University 614-292-9906 holland....@osu.edu<mailto:holland....@osu.edu> On Oct 18, 2010, at 12:38 PM, Bruce Boardman wrote: We just renewed our Verisign CERTs only to find that the Verisign Root has changed. This wouldn't be a big deal, if it were for a web server, but since it's student laptops configured to accept the only the old public primary root it has a big impact. Verisign is saying that our only recourse is to reconfigure all the clients. Ouch! We are using a Cisco ACS 5.2 server for the Radius auth, and certification. Anyone solve this already, or have any suggestions about how to avoid reconfiguring all the clients. |>Bruce Boardman, Network Engineer, Syracuse University - c 315 412-4156<| ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- BEGIN-ANTISPAM-VOTING-LINKS ------------------------------------------------------ Teach CanIt if this mail (ID 1101816143) is spam: Spam: https://antispam.osu.edu/b.php?i=1101816143&m=35b1c509aa0f&c=s Not spam: https://antispam.osu.edu/b.php?i=1101816143&m=35b1c509aa0f&c=n Forget vote: https://antispam.osu.edu/b.php?i=1101816143&m=35b1c509aa0f&c=f ------------------------------------------------------ END-ANTISPAM-VOTING-LINKS ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.