Server certificate renewal

Alan DeKok aland at
Sun Jan 10 16:23:25 CET 2016

On Jan 10, 2016, at 6:25 AM, douglas eseng <douglas.eseng at> wrote:
> After renewal of server cert, existing iOS devices ask user to again trust
> the cert. Is this normal behaviour?


> Since it was a renewal, would have
> thought it is recognized as the same cert and remain trusted.

  What, exactly, makes it the "same" cert?  The private key has changed.  The public key has changed.  The fingerprint has changed.  The expiry date has changed.

  Some fields in the new cert are the same as the old one, so that might help.  But there's nothing in the new cert which says "this certificate replaced old certificate X".

> Anyone know once user trusted the cert, what digest/fingerprint of the cert
> does IOS remember? Unable to find info on this from Apple's site.

  iOS remembers the fingerprint.  Which has changed.

  Every time you add a cert, you've got to trust it again.  There is a chain of trust for signing certificates.  There is no chain of trust for replacing certificates.

  Alan DeKok.

More information about the Freeradius-Users mailing list