Unfortunately, for various reasons, we have had to do this too many times.
Our policy is for the configuration to trust the certificate chain, rather than the server certificate. That allows you to update the server certificate without breaking trust. It you know in advance your new certificate chain, add them to the existing client trust. You can then update the server certificate pretty cleanly for most users. If desired, you can purge the old certificate trust later at your convenience. Bruce Osborne Senior Network Engineer Network Operations - Wireless (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 -----Original Message----- From: James Andrewartha [mailto:jandrewar...@ccgs.wa.edu.au] Sent: Tuesday, May 15, 2018 11:24 PM Subject: Rotating 802.1x RADIUS CA certificate Hi all, While debugging another problem (Windows 10 client that lost its certificates and some EAP configuration) I noticed that our private CA used for WPA2 Enterprise RADIUS auth expires in September next year. The certificate used by the RADIUS servers is valid until January 2024, but am I correct in thinking that if the CA has expired the cert won't be trusted either? Has anyone rotated their cert and have any tips for managing the flag day? I'm going to create a new private CA, this time with a 30 year lifetime, although I imagine it'll be obsolete before then due to increased crypto requirements. Speaking of which, what are the best practices for a private CA these days? SHA2 (384bit)? SHA3? RSA? Elliptic Curve? We are fortunate in that most of our devices are school owned and so we can push out wireless configuration. I had a look at the Windows and Mac configs, and both of those can trust multiple CAs for a given SSID. On iOS we don't push out wireless config, but we were going to reprovision the remaining ones anyway at the end of this year so that's fine. Thanks, -- James Andrewartha Network & Projects Engineer Christ Church Grammar School Claremont, Western Australia Ph. (08) 9442 1757 Mob. 0424 160 877 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.