Ditto. If this is for client certs for authentication for wireless, use a private CA.
Ryan Turner Head of Networking, ITS The University of North Carolina at Chapel Hill +1 919 274 7926 Mobile +1 919 445 0113 Office On Sep 16, 2019, at 12:10 PM, Cappalli, Tim (Aruba Security) <t...@hpe.com<mailto:t...@hpe.com>> wrote: An EAP server certificate from a PKI in your control is always the recommended path. A public CA-signed EAP server certificate should be a last resort. tim From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of "McClintic, Thomas" <thomas.mcclin...@uth.tmc.edu<mailto:thomas.mcclin...@uth.tmc.edu>> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Date: Monday, September 16, 2019 at 9:49 AM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] InCommon certificate trust chain issues with upgraded Windows Systems Thank you for this information. We are planning to change our certificate and path in the coming months and were not aware of these issues. Can you please keep us informed on your progress? I’m also interested in if the private PKI is the preferred method. Hopefully we will be off PEAP and on EAP-TLS by late 2020. Thanks From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Johnson, Neil M Sent: Saturday, September 14, 2019 1:58 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [WIRELESS-LAN] InCommon certificate trust chain issues with upgraded Windows Systems **** EXTERNAL EMAIL **** This problem has been vexing us for a few weeks, so I’d thought I’d pass along my message to Microsoft and Sectigo in case others run into the same issue. Thanks. -Neil The authentication has been temporarily resolved, BUT only temporarily. The cause of the problem involved many factors: First, The server certificate issued by Sectigo utilizes cross-signed certificates: https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000rgSZ This means that there are two trust chain paths that can be used to validate the server certificate: (see diagram at https://docs.google.com/drawings/d/1P6_ZbsbOMeRJEYwX__s9gJWC5IXgnr7LDUrc7ys8oDs/edit?usp=sharing ) Second, Since the ADDTrust Root CA certificate used in Path #1 expires May 30th of 2020, so I had the RADIUS Server (Aruba ClearPass) configured to send the server and intermediate cert for Path #2. This worked for the majority of systems on campus. Third, However, some customers upgrading from previous versions of Windows (7, 8, and Windows 10 versions previous to 1809) began having authentication issues because of this. It appears that the Windows systems are unable to validate the certificate chain in Path #2. This was confirmed by system traces and packet captures between the client and the RADIUS Server. Temporary solution: I reconfigured the RADIUS server to send the server and intermediate certs for Path #1. This seems to have resolved the issue for the majority of our customers. The long term problem: The AddTrust Root CA certificate expires May 30th, 2020. Customers systems will have to validate the server certificate using Path #2. My concern is that this will break certificate validation (and thus wireless authentication) for many of our customers after the ADDTrust Root CA certificate expires. Action Items: * Microsoft & Sectigo – Needs to find out what is preventing upgraded Windows systems from validating the server certificate via Path #2. * The University of Iowa – Needs to develop a risk mitigation plan prior to May 30th, 2020 (Including the possibility of moving to a private PKI over winter break). I’m happy to help collect additional information required to troubleshoot this issue. Thanks for everyone’s efforts in troubleshooting this issue. If you have any questions please feel free to contact me. -Neil Neil Johnson Network Engineer The University of Iowa +1 319 384-0938 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
