Wireless LAN/CA migration

From CT Wiki
(Difference between revisions)
Jump to: navigation, search
(Apple MacOS and IOS)
(What do we need to do?)
(6 intermediate revisions by one user not shown)
Line 1: Line 1:
 
= Why? =
 
= Why? =
The certificates for Eduroam are expiring. The Certificate Authority AddTrust External Root is expiring on the 30th of May and our wireless.nikhef.nl eduroam certificate expires on the 29th. We have to move to a new Certificate Authority and replace the certificate wireless.nikhef.nl.
+
The certificates that Nikhef uses for Eduroam are expiring. The Certificate Authority "AddTrust External Root" is expiring on the 30th of May and our wireless.nikhef.nl eduroam certificate expires on the 29th.
  
= What do we need to do? =
+
This means Nikhef will have to get a new certificate for eduroam and cannot reuse the same Certificate Authority to get them.  
Every eduroam WiFi client needs to update their eduroam profile before the 28th of May. This ensures there will be no downtime either before or after the certificate is replaced.
+
  
 +
== Background ==
 +
Certificate Authorities are like notaries and essentially give out signed and notarized copies of an identity document, which is called a certificate. Devices connecting to eduroam trust several notaries to verify the identity for authentication servers. This trust is gained by auditing the notary and expires about 10 years after the initial audit. In this case, the trust for the Certificate Authority is expiring, so Nikhef needs to switch to another Certificate Authority.
  
<strong>Note: If you're using an eduroam account from a differint institute (@vu.nl, @uva.nl) you don't need to do anything. Only client that use eduroam with a username@nikhef.nl should be updated.</strong>
+
Up until recently, most devices only supported one Certificate Authority for a WiFi profile and by default still only select one when just connecting by entering credentials. This essentially means that for most Nikhef eduroam clients only one Certificate Authority is trusted and that is the one that will expire. This is something that also has to be fixed in the new updated profiles.
 +
 
 +
 
 +
Nikhef will have to move to a new certificate supplier and replace the certificate for eduroam.
 +
 
 +
= What do I need to do? =
 +
Every device connecting to eduroam needs an updated eduroam profile before the 28th of May. This ensures there will be no downtime either before or after the certificate is replaced. The new profiles will work with the old and the new certificates.
 +
 
 +
You have to reconfigure your eduroam profile on all your devices. Before the 28th of May.
 +
 
 +
<strong>Note: If you're using an eduroam account from a different institute (@vu.nl, @uva.nl) you don't need to do anything. Only devices that use eduroam with a username@nikhef.nl should be updated.</strong>
 +
 
 +
= How do I reconfigure my devices? =
  
= How do I reconfigure my client? =
 
 
== Windows ==
 
== Windows ==
Use the Eduroam Configuration Assistant Tool. For detailed steps see [[Wireless_LAN#Windows]]
+
Use the Eduroam Configuration Assistant Tool. For detailed steps, see [[Wireless_LAN#Windows]]
  
 
== Linux ==
 
== Linux ==

Revision as of 16:22, 18 May 2020

Contents

Why?

The certificates that Nikhef uses for Eduroam are expiring. The Certificate Authority "AddTrust External Root" is expiring on the 30th of May and our wireless.nikhef.nl eduroam certificate expires on the 29th.

This means Nikhef will have to get a new certificate for eduroam and cannot reuse the same Certificate Authority to get them.

Background

Certificate Authorities are like notaries and essentially give out signed and notarized copies of an identity document, which is called a certificate. Devices connecting to eduroam trust several notaries to verify the identity for authentication servers. This trust is gained by auditing the notary and expires about 10 years after the initial audit. In this case, the trust for the Certificate Authority is expiring, so Nikhef needs to switch to another Certificate Authority.

Up until recently, most devices only supported one Certificate Authority for a WiFi profile and by default still only select one when just connecting by entering credentials. This essentially means that for most Nikhef eduroam clients only one Certificate Authority is trusted and that is the one that will expire. This is something that also has to be fixed in the new updated profiles.


Nikhef will have to move to a new certificate supplier and replace the certificate for eduroam.

What do I need to do?

Every device connecting to eduroam needs an updated eduroam profile before the 28th of May. This ensures there will be no downtime either before or after the certificate is replaced. The new profiles will work with the old and the new certificates.

You have to reconfigure your eduroam profile on all your devices. Before the 28th of May.

Note: If you're using an eduroam account from a different institute (@vu.nl, @uva.nl) you don't need to do anything. Only devices that use eduroam with a username@nikhef.nl should be updated.

How do I reconfigure my devices?

Windows

Use the Eduroam Configuration Assistant Tool. For detailed steps, see Wireless_LAN#Windows

Linux

  • If you're using network manager (default for most distributions), download File:Eduroam-nm.sh and run "sh Downloads/Eduroam-nm.sh" from a terminal. This will update the eduroam profile and make sure you're using the optimal settings for eduroam.
  • If you're using something else to configure the network, like wicd or wpa_supplicant, please use the settings described at Wireless_LAN#Linux.

Apple MacOS and IOS

  • Download File:Nikhef-eduroam-signed.mobileconfig and click/tap on the file to import the good eduroam profile. It will ask for your permission to update the Certificate Authorities and will correctly configure eduroam.

Android

Download the latest app from the Google Play Store. Run the app, enter your nikhef username and password (without @nikhef.nl).

Views
Personal tools