Upon closer inspection, I believe that my fears were overblown.
It seems that what ACTUALLY changed in the certificate was the friendly
name, and the root CA is still the same. I only discovered this when I
imported the 'new' root CA into our eduroam CAT config and saw that all of
the properties appeared to be the same.
When viewed with the Windows built-in certificate viewer, our certificate
chain appears as:
Sectigo (AAA) - CN = AAA Certificate Services
|__ CN = USERTrust RSA Certification Authority
|__CN = InCommon RSA Server CA
|__connect.fandm.edu
If I view the details on the Sectigo (AAA) certificate, it shows as issued
to and by 'AAA Certificate Services,' which does match the 'old' root CA.
The following screenshots are provided to highlight the source of my
confusion:
[image: image.png]
[image: image.png]
[image: image.png]
All of the certificates in the chain have friendly names that match their
CN's, except for the root.
Nevertheless, since we've gone this far, we are going to issue a new
certificate to both appliances so that they at least match. I expect that
most clients will need to forget and re-add the network, but our existing
eduroam CAT config will work. At the moment, our desktop support personnel
are pushing back on moving to a private CA due to the difficulty with
onboarding MacOS clients specifically, though they are also not
super-thrilled with the process for iOS devices. We understand that this
is due to how the client OS handles installing these profiles, and are
hoping that using a different onboarding tool will make the process
bearable for users and help desk staff when we do roll to a private CA,
currently planned for next summer. We were able to stand up a PoC Private
CA, thanks in very large part to the input that we received here.
I greatly appreciate everyone's input in this thread, and the encouragement
and information that is helping us to move to where we need to be. This
has been, and continues to be, a valuable learning experience.
Jonathan Miller
Senior Network Analyst
Franklin and Marshall College
On Fri, Aug 13, 2021 at 2:37 PM Jonathan Waldrep <wald...@vt.edu> wrote:
> Going back to the original issue:
>
> On 2021-08-09 07:32:19-0400, Jonathan Miller wrote:
> > [...]
> > The certificate are issued through InCommon, and when I renewed our
> > expiring certificate, I noticed that it is showing that is has a root
> > of Sectigo, where it was previously Comodo. The certificate that is
> > not expiring has a root CA of Comodo.
> > [...]
>
> InCommon also issues our certificates†. Specifically, our certs are
> signed by [this][1] certificate, with CN "InCommon RSA Server CA". This
> intermediate cert is then signed by [this][2] certificate with CN
> "USERTrust RSA Certification Authority", which is a root certificate.
>
> Not counting CAs hiding their name because of a bad reputation, I don't
> see "Comodo" or "Secitgo" anywhere in the chain. This has been our chain
> for a while. I've had some other certs issued this week with the same
> chain.
>
> What are the subject and issuer CNs for the certs you are using? It
> kinda sounds like they are just giving you an alternate chain, which can
> be a real pain to sort out.
>
> †I know, I know. We should use an internal CA. We're working on it.
>
> [1]: http://crt.usertrust.com/InCommonRSAServerCA_2.crt
> [2]: http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
>
> --
> Jonathan Waldrep
> Network Engineer
> Network Infrastructure and Services
> Virginia Tech
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
>
**********
Replies to EDUCAUSE Community Group emails are sent to the entire community
list. If you want to reply only to the person who sent the message, copy and
paste their email address and forward the email reply. Additional participation
and subscription information can be found at https://www.educause.edu/community
