Versions Compared

Old Version 5

changes.mady.by.user Tomasz Wolniewicz

Saved on

compared with

New Version 6

changes.mady.by.user Tomasz Wolniewicz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • The Certification Authority (CA) certificate(s) which signed your EAP server certificate
    • always include the root CA (root CAs are indicated with a blue circled "R" besides the certificate details after upload)
    • optionally include intermediate CAs (intermediate certificates are indicated with a blue circled ("I") besides the certificate after upload)
  • The name of your server as specified in the Common Name (CN) of your EAP server certificate

Note 1 - root certificates

Root CA certificates are needed because they are the trust anchor on the client device which it uses to verify that incoming server certificate.

Note2 - intermediate certificates

these are only useful when your RADIUS server is not sending them during the connection.

Note3 -  server certificates

There is no point in uploading the server certificate itself. The server certificate is sent during the EAP exchange during login time to the client. Therefore server certificates (i.e. not providing Basic Constraints set to TRUE) will not be accepted 

For more information about certificates see here.

Note 4 - CA rollover support

You can upload multiple root CA certificates simultaneously to CAT. This enables CA certificate rollover without a flag day: User devices which were configured with an upcoming new root CA ahead of time will then not even notice the change of server cert from old to new trust root (so long as the Common Name of the server certificate remains unchanged during the rollover).

On the client OSes, all root CAs will be installed and all will be marked trusted. In Windows such certificates also become trusted for all purposes, not just WiFi. Or you can isolate Android users while giving everyone else multiple trust roots early,  in this case you can create a different profile (see next section) just for Android and only load the desired root CA into that profile.

Note 5 - expiring certificates

If CA certificates in your configuration expire then your installers will stop working. CAT profile page will show you warnings when the expiry time is getting closer and then use the rollover procedure to supply new ones in time. Unfortunately users configured with the expired certificate only will need to rerun the installation procedure. The same is true if for some reason you need to change the root CA to a new one.

...