Trusting a certificate manually is a good thing dont you think? In this way aware clients can be ware of the fact that the server to which they are supplying there credentials is really the "correct" server by looking at the chain, and is not a dummy server which will steal there credentials. BR, Anirudh Malhotra 8zero2 Mail: 8zero2.in@gmail.com Facebook: www.facebook.com/8zero2 Twitter: @8zero2_in Blog: blog.8zero2.in On 10 Jan 2016, 20:53 +0530, Alan DeKok<aland@deployingradius.com>, wrote:
On Jan 10, 2016, at 6:25 AM, douglas eseng<douglas.eseng@gmail.com>wrote:
After renewal of server cert, existing iOS devices ask user to again trust the cert. Is this normal behaviour?
Yes.
Since it was a renewal, would have thought it is recognized as the same cert and remain trusted.
What, exactly, makes it the "same" cert? The private key has changed. The public key has changed. The fingerprint has changed. The expiry date has changed.
Some fields in the new cert are the same as the old one, so that might help. But there's nothing in the new cert which says "this certificate replaced old certificate X".
Anyone know once user trusted the cert, what digest/fingerprint of the cert does IOS remember? Unable to find info on this from Apple's site.
iOS remembers the fingerprint. Which has changed.
Every time you add a cert, you've got to trust it again. There is a chain of trust for signing certificates. There is no chain of trust for replacing certificates.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html