Server certificate renewal

Anirudh Malhotra 8zero2ops at
Mon Jan 11 01:58:34 CET 2016

Trusting a certificate manually is a good thing dont you think? In this way aware clients can be ware of the fact that the server to which they are supplying there credentials is really the "correct" server by looking at the chain, and is not a dummy server which will steal there credentials.

Anirudh Malhotra
Mail: at
Twitter: @8zero2_in

On 10 Jan 2016, 20:53 +0530, Alan DeKok<aland at>, wrote:
> On Jan 10, 2016, at 6:25 AM, douglas eseng<douglas.eseng at>wrote:
> > After renewal of server cert, existing iOS devices ask user to again trust
> > the cert. Is this normal behaviour?
> Yes.
> > Since it was a renewal, would have
> > thought it is recognized as the same cert and remain trusted.
> What, exactly, makes it the "same" cert? The private key has changed. The public key has changed. The fingerprint has changed. The expiry date has changed.
> Some fields in the new cert are the same as the old one, so that might help. But there's nothing in the new cert which says "this certificate replaced old certificate X".
> > Anyone know once user trusted the cert, what digest/fingerprint of the cert
> > does IOS remember? Unable to find info on this from Apple's site.
> iOS remembers the fingerprint. Which has changed.
> Every time you add a cert, you've got to trust it again. There is a chain of trust for signing certificates. There is no chain of trust for replacing certificates.
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list