Server certificate renewal
Anirudh Malhotra
8zero2ops at gmail.com
Mon Jan 11 01:58:34 CET 2016
Trusting a certificate manually is a good thing dont you think? In this way aware clients can be ware of the fact that the server to which they are supplying there credentials is really the "correct" server by looking at the chain, and is not a dummy server which will steal there credentials.
BR,
Anirudh Malhotra
8zero2
Mail: 8zero2.in at gmail.com
Facebook: www.facebook.com/8zero2
Twitter: @8zero2_in
Blog: blog.8zero2.in
On 10 Jan 2016, 20:53 +0530, Alan DeKok<aland at deployingradius.com>, wrote:
> On Jan 10, 2016, at 6:25 AM, douglas eseng<douglas.eseng at gmail.com>wrote:
> > After renewal of server cert, existing iOS devices ask user to again trust
> > the cert. Is this normal behaviour?
>
> Yes.
>
> > Since it was a renewal, would have
> > thought it is recognized as the same cert and remain trusted.
>
> What, exactly, makes it the "same" cert? The private key has changed. The public key has changed. The fingerprint has changed. The expiry date has changed.
>
> Some fields in the new cert are the same as the old one, so that might help. But there's nothing in the new cert which says "this certificate replaced old certificate X".
>
> > Anyone know once user trusted the cert, what digest/fingerprint of the cert
> > does IOS remember? Unable to find info on this from Apple's site.
>
> iOS remembers the fingerprint. Which has changed.
>
> Every time you add a cert, you've got to trust it again. There is a chain of trust for signing certificates. There is no chain of trust for replacing certificates.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list